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EPISTEMOLOGY  OF  INFORMATION  FLOW  IN  THE  MULTILEVEL 
SECURITY  OF  PROBABILISTIC  SYSTEMS 
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Figure  1:  The  General  Form  of  a  System 

1  Introduction 

Multilevel  security  is  the  aspect  of  computer  security  concerned  with  protecting  information 
that  is  classified  with  respect  to  a  multilevel  hierarchy  (e.g.,  UNCLASSIFIED,  SECRET, 
TOP  SECRET).  A  probabilistic  system  is  a  hardware  or  software  system  that  makes  proba¬ 
bilistic  choices  (e.g.,  by  consulting  a  random  number  generator)  during  its  execution.  Such 
probabilistic  choices  are  useful  in  a  multilevel  security  context  for  introducing  noise  to  reduce 
the  rate  of  (or  eliminate)  illicit  communication  between  processes  at  different  classification 
levels.  In  this  paper,  we  are  concerned  with  definitions  of  perfect  (information-theoretic) 
multilevel  security  in  the  sense  that  the  definitions  rule  out  all  illicit  communication  without 
relying  on  any  complexity-theoretic  assumptions.  That  is,  our  model  allows  the  system  pen- 
etrators  to  have  unlimited  computational  power  and  yet,  our  definitions  are  still  sufficient 
to  ensure  that  there  can  be  no  illicit  communication.^ 

The  systems  that  we  address  can  be  depicted  in  the  form  shown  in  Figure  1.  This  general  form 
is  intended  to  represent  systems  including  physical  hardware  with  hard-wired  connections 
to  other  systems,  an  operating  system  kernel  with  connections  to  other  processes  provided 
by  shared  memory,  and  processes  executing  on  a  multiprocessor  with  connections  to  other 
systems  provided  by  an  interprocess  communication  (IPC)  mechanism. 

•  There  is  a  system,  called  S,  that  provides  services  to  the  other  systems.  For  example, 

in  the  case  of  a  multiuser  relational  database,  S  would  store  and  control  access  to  a  set 

^Of  course  in  practice  we  do  not  have  true  random  number  generators — merely  pseudo-random  number 
generators — and  so,  systems  that  depend  on  random  number  generators  for  their  security  will  not  be  able 
to  achieve  the  ideal  of  perfect  multilevel  security.  In  such  cases,  one  would  want  to  prove,  e.g.,  that  under 
the  assumption  that  penetrators  are  limited  to  a  polynomial  amount  of  time,  the  pseudo-random  number 
generator  is  as  good  as  random.  We  relegate  such  considerations  to  a  lower  level  of  analysis. 
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of  relations.  E  is  the  system  with  respect  to  which  we  will  be  reasoning  about  multilevel 
security. 

•  There  is  a  set  of  systems  (labeled  Si,  S2, . . .,  Si  in  the  figure),  called  the  “covert  senders”, 
that  have  access  to  secret  information.  These  systems  are  called  “covert  senders”  because 
they  may  attempt  to  covertly  send  secret  information,  via  E,  to  other  systems  that  are  not 
authorized  to  see  the  information.  It  is  these  attempts  with  which  we  are  concerned.  As  is 
commonly  done  in  the  literature,  we  will  often  refer  to  the  covert  senders  as  high  systems 
(referring  to  the  situation  where  the  covert  senders  have  access  to  highly  classified  informa¬ 
tion).  We  will  also  refer  to  the  set  of  covert  senders  collectively  as  the  high  environment, 
denoted  H.  These  systems  are  part  of  “the  environment”  in  the  sense  that  they  are  in  the 
environment  of  the  central  system,  E. 

•  There  is  a  second  set  of  systems  (labeled  Ri,  R2, ...,  Rj  in  the  figure),  called  the  “covert 
receivers”,  that  are  not  authorized  to  see  the  secret  information  that  is  available  to  the  covert 
senders.  We  will  often  refer  to  the  covert  receivers  as  low  systems,  or  collectively  as  the  low 
environment,  denoted  C. 

If  the  covert  senders  are  able  to  use  E  to  communicate  information  to  the  covert  receivers, 
we  will  say  that  E  has  a  covert  channel,  or  equivalently  (for  our  purposes)  that  E  is  insecure. 
A  few  notes  are  in  order. 

1.  It  is  important  to  bear  in  mind  that  the  threat  that  we  are  concerned  with  is  not  that 
the  users  (i.e.,  the  human  users)  of  the  covert  sender  systems  are  attempting  to  send 
secret  information  to  the  covert  receivers.  We  assume  that  if  they  wanted  to,  they  could 
more  easily  pass  notes  in  the  park  and  entirely  bypass  E.  Rather,  we  are  concerned  that 
the  covert  senders  are  actually  trojan  horses  (i.e.,  they  appear  to  be  something  that  the 
user  wants,  but  actually  contain  something  else  that  is  entirely  undesirable  to  the  user) 
and  that  these  trojan  horses  are  attempting  to  send  secret  information  to  the  covert 
receivers.  This  is  a  legitimate  concern  since  system  developers  do  not  want  to  incur  the 
cost  of  verifying  every  component  of  a  conglomerate  system  with  respect  to  multilevel 
security  requirements.  Ideally,  only  a  small  number  of  components  in  the  system  (e.g., 
in  our  case  only  E)  have  security  requirements,  and  so  require  verification;  while  the 
remaining  components  can  be  implemented  by  off-the-shelf  hardware  and  software  that 
are  unverified  with  respect  to  security  (and  therefore  may  be  trojan  horses). 
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We  assume  a  worst  case  scenario,  where  all  of  the  covert  senders  and  covert  receivers 
are  trojan  horses;  Indeed,  we  assume  that  all  of  the  trojan  horses  are  cooperating  in 
an  attempt  to  transmit  information  from  the  covert  senders  to  the  covert  receivers. 

2.  It  is  also  important  to  bear  in  mind  that  in  our  intended  application,  the  covert  senders 
will  not  be  able  to  communicate  directly  to  the  covert  receivers  (i.e.,  by  bypassing  S). 
Typically,  there  are  hardware  or  software  controls  to  prevent  this.  For  example,  non- 
bypassability  is  one  of  the  well-known  principles  of  a  “reference  monitor”  (see  [Gas88]), 
which  is  one  of  the  typical  applications  we  have  in  mind. 

3.  Our  model  contrasts  sharply  with  much  other  work  on  security  (e.g.,  [Mea92],  [DDWY93]) 
in  that  we  consider  a  set  of  untrusted  agents  (viz,  the  covert  senders  and  receivers) 
that  are  connected  via  a  trusted  agent,  whereas  these  other  works  consider  a  set  of 
trusted  agents  connected  via  an  untrusted  agent.  This  difference  in  our  model  reflects 
the  difference  in  the  respective  applications.  The  work  of  [Mea92]  and  [DDWY93]  is 
intended  to  be  used  to  analyze  a  set  of  legitimate  (and  trusted)  agents  that  are  at¬ 
tempting  to  establish  secure  communication  over  an  untrusted  network.  In  that  work, 
the  assumption  is  that  the  penetrator  is  able  to  subvert  the  network  (i.e.,  the  central 
component  of  the  system),  but  not  the  trusted  (lateral)  agents. 

In  contrast,  our  work  is  intended  to  be  used  to  analyze  a  centralized  server  that  serves 
a  set  of  untrusted  entities.  Correspondingly,  our  assumption  is  that  the  penetrator 
may  be  able  to  subvert  the  untrusted  (lateral)  agents,  but  not  the  central  server. 

4.  The  fact  that  we  have  partitioned  the  set  of  systems  external  to  E  into  two  sets, 
high  and  low,  may  seem  to  indicate  that  we  are  limiting  ourselves  to  two  levels  of 
information  (e.g.,  SECRET  and  UNCLASSIFIED).  However,  this  is  not  the  case.  In 
a  more  general  setting,  information  is  classified  (users  are  cleared,  resp.)  according 
to  a  finite,  partially  ordered  set  (see  e.g.,  [Den76]);  that  is,  there  is  a  finite  set  of 
classification  levels  (clearance  levels,  resp.)  that  is  ordered  by  a  reflexive,  transitive,  and 
anti- symmetric  relation,  which  we  call  dominates.  A  given  user  is  permitted  to  observe 
a  given  piece  of  information  only  if  the  user’s  clearance  dominates  the  classification  of 
the  information.  In  the  case  where  there  are  more  than  two  levels,  a  separate  analysis 
would  be  performed  for  each  level,  x;  in  each  analysis,  the  set  of  levels  would  be 
partitioned  into  those  that  are  dominated  by  x  (i.e.,  the  “low”  partition)  and  the  set 
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of  levels  that  are  not  dominated  by  x  (i.e.,  the  “high”  partition).  Thus,  we  have  lost 
no  generality  by  restricting  our  attention  to  two  levels. 

Our  problem  is  to  develop  a  logic  that  can  be  used  to  reason  about  the  multilevel  security 
of  a  given  system  S.  In  particular,  we  would  like  to  be  able  to  verify  whether  or  not  a  given 
(probabilistic  or  deterministic)  system  has  any  covert  channels.  Our  approach  is  similar  to 
Glasgow,  MacEwen,  and  Panangaden’s  [GMP90]  and  Bieber  and  Cuppens’  [BC92]  in  that 
our  primary  definition  of  security  is  given  in  terms  of  modal  logic.  In  particular,  as  in  [BC92], 
we  say  that  a  system  is  secure  with  respect  to  the  set  of  low  processes,  denoted  L,  if  and 
only  if  for  any  logical  formula  y?,  the  following  formula  is  derivable  from  the  given  premises, 
describing  e.g.,  the  behavior  of  the  system  S. 

□(KL(t^)  ^  Rl{^))  (1) 

where  □(V>)  is  intuitively  regarded  as  always  Ki,((/?)  is  intuitively  regarded  as  “T  knows 
(p”  and  Rhip)  is  intuitively  regarded  as  “T  is  permitted  to  know  Our  work  extends  that 
of  [GMP90]  and  [BC92]  in  that  our  logic  includes  explicit  means  to  specify  and  reason  about 
the  probabilistic  behavior  of  systems.  That  is,  in  our  logic,  the  formula  (p  may  say  e.g.,  “the 
probability  of  a  given  high  process’s  input  is  .99”.  For  such  a  (p,  the  formula  Ki,(v?)  Rii'f) 
says  that  if  L  knows  that  the  probability  of  a  given  high  process’s  input  is  .99,  then  L  is 
permitted  to  know  that  the  probability  of  that  high  process’s  input  is  .99. 

The  motivation  for  reasoning  about  the  probabilistic  behavior  of  systems  has  appeared  in  ex¬ 
amples  and  discussions  of  many  authors  (cf.  [Bro91,  Gra92,  MR88,  McC88,  McL90,  WJ90]). 
Essentially,  the  motivation  is  that  it  is  possible  for  a  probabilistic  system  to  satisfy  many 
existing  definitions  of  security  (e.g.,  Sutherland’s  Nondeducibility  [Sut86],  McCullough’s  Re¬ 
strictiveness  [McC90],  etc.)  and  still  contain  probabilistic  covert  channels. 

Others  have  developed  logics  to  reason  about  knowledge  and  probability  in  the  areas  of 
artificial  intelligence  (viz,  Ruspini  [Rus87])  and  protocol  analysis  (viz,  Fagin  and  Halpern 
[FH94]).  Semantically,  the  framework  of  Halpern  and  Tuttle  ([HT93])  encompasses  the  other 
two  and,  in  fact,  we  are  also  able  to  make  use  of  their  framework  to  give  a  semantics  to  our 
logic. 

A  primary  contribution  of  the  present  paper  is  the  unification  of  the  logical  approach  to 
multilevel  security  developed  by  Glasgow,  MacEwen,  and  Panangaden  [GMP90]  and  Bieber 
*For  technical  reasons,  Bieber  and  Cuppens’  definition  omitted  the  □  operator. 
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and  Cuppens  [BC92]  with  the  work  on  security  of  probabilistic  systems  done  by  McLean 
[McL90],  Browne  [Bro89],  and  the  first  author  [Gra92].  In  particular,  we  prove  that  the 
semantic  interpretation  of  (1)  is  equivalent  to  Gray’s  Probabilistic  Noninterference  (which 
is  itself  equivalent  to  Browne’s  Stochastic  Non-Interference).  We  also  give  a  verification 
condition  (in  our  logic)  and  prove  that  it  is  equivalent  to  Gray’s  Applied  Flow  Model  (which 
is  closely  related  to  McLean’s  Flow  Model).  These  results  are  doubly  advantageous.  On  the 
one  hand  they  constitute  a  formalization  of  the  just  cited  information-theoretic  approaches 
to  security.  On  the  other  hand,  to  the  extent  that  the  just  cited  logical  works  are  viewed 
not  just  as  formalizations  but  as  another  basic  approach  to  security,  the  results  in  this  paper 
amount  to  a  demonstration  of  the  equivalence  of  independently  motivated  characterizations 
of  security.  We  consider  this  to  be  strong  evidence  that  both  characterizations  have  ‘got 
things  right’.  For  a  discussion  of  the  importance  of  such  equivalences  see,  e.g.,  [McL87]. 

The  remainder  of  the  paper  is  organized  as  follows.  In  §2  we  set  out  our  model  of  computa¬ 
tion.  In  §§3  and  4,  we  set  out  the  syntax  and  semantics  of  our  logic,  and  in  §5,  we  prove  its 
soundness.  In  §6  we  state  our  primary  definition  of  security  and  prove  that  it  is  equivalent 
to  Probabilistic  Noninterference.  In  §7  we  state  our  verification  condition  and  show  that  it 
is  equivalent  to  the  Applied  Flow  Model.  Finally,  in  §8,  we  give  some  conclusions  of  this 
work. 


2  System  Model 

In  this  section,  we  describe  our  system  model.  This  is  the  model  by  which  we  will  (in  §4) 
give  semantics  to  our  logic.  First,  we  describe  the  general  system  model,  which  is  taken 
from  Halpern  and  Tuttle  [HT93].  Then,  we  will  tailor  the  model  to  our  needs  by  (in  Halpern 
and  Tuttle’s  terminology)  choosing  the  “adversaries”.  Finally,  we  impose  some  additional 
structure  on  the  model,  resulting  in  our  application-specific  model. 

2.1  General  System  Model 

In  this  subsection  we  review  the  general  system  model  of  Halpern  and  Tuttle.  A  complete 
description  of  their  model  can  be  found  in  [HT93]. 

We  have  a  set  of  agents,  Pi,  ^2?  •  •  • ,  Pn,  each  with  its  own  local  state.  The  global  state  is  an  n- 
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tuple  of  the  local  agents’  states.^  A  run  of  the  system  is  a  mapping  of  times  to  global  states. 
We  assume  that  time  is  discrete  because  we  are  dealing  with  security  at  the  digital  level  of 
the  system.  We  are  not,  for  example,  addressing  security  issues  such  as  analog  channels  in 
hardware.  Therefore,  as  in  [HT93],  we  will  assume  that  times  are  natural  numbers. 

The  probabilities  of  moving  among  global  states  are  represented  in  the  model  by  means  of 
labeled  computation  trees.  The  nodes  of  the  trees  represent  global  states.  For  any  given 
node  in  a  tree,  the  children  of  that  node  represent  the  set  of  global  states  that  could  possibly 
come  next.  Each  arc  from  a  node  to  one  of  its  children  is  labeled  with  the  probability  of 
moving  to  that  state.  Thus,  from  any  given  node,  the  sum  of  the  probabilites  on  its  outgoing 
arcs  must  be  one.  As  in  [HT93],  we  also  assume  that  the  set  of  outgoing  arcs  is  finite  and 
that  all  arcs  are  labeled  with  nonzero  probabilities.  This  final  assumption  can  be  viewed  as 
a  convention  that  if  the  probability  of  moving  from  state  x  to  state  y  is  zero,  then  state  y  is 
not  included  as  a  child  of  state  x. 

Certain  events  in  a  system  may  be  regarded  as  nonprobabilistic  (while  still  being  nondeter- 
ministic).  The  typical  example  occurs  when  a  user  is  to  choose  an  input  and  in  the  analysis 
of  the  system,  we  do  not  wish  to  assign  a  probability  distribution  to  that  choice;  in  such  a 
case,  we  regard  that  choice  as  nonprobabilistic.  All  nonprobabilistic  choices  in  the  system 
are  lumped  into  a  single  choice  that  is  treated  as  being  made  by  an  “adversary”  prior  to  the 
start  of  execution.  Thus,  after  this  choice  is  made,  the  system’s  execution  is  purely  prob¬ 
abilistic.  In  Halpern  and  Tuttle’s  words,  the  nonprobabilistic  choices  have  been  “factored 
out”. 

In  the  model  of  computation,  each  possible  choice  by  the  adversary  corresponds  to  a  labeled 
computation  tree.  In  other  words,  a  system  is  represented  as  a  set  of  computation  trees, 
each  one  corresponding  to  a  different  choice  by  the  adversary.  There  is  no  indication  how 
the  adversary’s  choice  is  made,  just  that  it  is  made  once  and  for  all,  prior  to  the  start  of 
execution. 


2.2  Application- Specific  System  Model 

In  this  section,  we  impose  some  additional  structure  on  the  general  model  described  in  the 

previous  section.  We  fix  the  set  of  agents,  fix  our  model  and  intuitions  regarding  commu- 

^Halpern  and  Tuttle  also  include  the  state  of  the  “environment”  as  part  of  the  global  state.  However,  we 
will  not  be  needing  this  for  our  application  and  so  we  omit  it. 
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nication,  place  some  (environmental)  constraints  on  the  agents,  and  fix  the  set  of  choices 
available  to  the  adversary. 

AGENTS  As  indicated  in  Figure  1  and  the  surrounding  discussion,  we  can  limit  our  model 
to  three  agents:  (1)  the  system  under  consideration,  denoted  S,  (2)  the  covert  senders  (or 
alternatively,  the  high  environment),  denoted  H,  and  (3)  the  covert  receivers  (or  alternatively, 
the  low  environment),  denoted  C.  In  the  remainder  of  the  paper,  we  will  tacitly  assume  that 
the  global  system  is  comprised  of  these  three  agents. 

MODEL  OF  COMMUNICATION  Our  model  of  communication  is  similar  to  those 
of  [BC92],  [Gra92],  and  [Mil90].  We  view  S’s  interface  as  a  collection  of  channels  on  which 
inputs  and  outputs  occur.  Since  we  consider  the  agent  (resp.,  C)  to  consist  of  all  processing 
that  is  done  in  the  high  (resp.,  low)  environment,  including  any  communication  mechanism 
that  delivers  messages  to  E,  we  will  not  need  to  model  messages  in  transit  or,  in  Halpern  and 
Tuttle’s  terminology,  the  state  of  the  environment;  rather,  these  components  of  the  global 
state  will  be  included  as  part  of  T-Cs  and  £’s  state. 

In  many  systems  of  interest,  the  timing  of  events  is  of  concern.  (See  [Lam73]  for  an  early 
description  of  covert  communication  channels  that  depend  on  timing;  see  [Wra92]  for  more 
recent  work.)  In  such  cases,  we  model  the  passage  of  time  by  taking  the  set  of  times  (i.e.,  the 
domain  of  the  runs)  to  be  the  ticks  of  some  clock  that  is  independent  of  the  covert  senders’ 
and  receivers’  processing.  For  example,  we  may  think  of  this  clock  as  being  S’s  system  clock. 
In  this  way,  covert  channels  that  depend  on  time  can  be  properly  accounted  for. 

Since  the  mechanisms  of  high-level^  I/O  routines  may  introduce  covert  channels  (see,  e.g., 
[McC88,  §2.3]),  we  take  a  very  low-level  view  of  I/O.  In  particular,  we  assume  one  input  and 
one  output  per  channel  per  unit  time.  That  is,  for  each  time  we  have  a  vector  of  inputs  (one 
for  each  channel)  and  a  vector  of  outputs  (one  for  each  channel).  If  a  given  agent  produces 
no  new  data  value  at  a  given  time,  it  may  in  fact  serve  as  a  signal  in  a  covert  channel 
exploitation.  Hence,  we  treat  such  “no  new  signal”  events  as  inputs.  Similarly,  we  do  not 
consider  the  possibility  that  the  system  can  prevent  an  input  from  occurring.  Rather,  the 
system  merely  chooses  whether  to  make  use  of  the  input  or  ignore  it.  Any  acknowledgement 
that  an  input  has  been  received  is  considered  to  be  an  output. 

Given  these  considerations,  we  fix  our  model  of  communication  as  follows.  We  assume  the 
^In  this  context,  “high-level”  means  highly  abstract  rather  than  highly  classified. 
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following  basic  sets  of  symbols,  all  nonempty: 


C:  a  finite  set  of  input/output  channel  names,  Ci, . . . ,  cjt, 

I:  representing  the  set  of  input  values, 

O:  representing  the  set  of  output  values. 

IN'*":  representing  the  set  of  positive  natural  numbers.  This  set  will  be  used  as  our  set  of 
“times”. 

Since  there  is  one  input  per  channel  at  each  time,  we  will  be  talking  about  the  vector  of 
inputs  that  occurs  at  a  given  time.  We  will  denote  the  set  of  all  vectors  of  inputs  by  1[C]. 
Typical  inputs  vectors  will  be  denoted  a,  o',  oi, . . .  €  I[C]. 

Similarly,  we  will  denote  the  set  of  all  output  vectors  by  0[(7]  and  typical  output  vectors 
will  be  denoted  6, 6',  6i, . . .  G  0[C\. 

Now,  to  talk  about  the  history  of  input  vectors  up  to  a  given  time,  we  introduce  notation 
for  traces.  We  will  denote  the  set  of  input  traces  of  length  k  by  Ic,k-  Mathematically,  Ic,k 
is  a  shorthand  for  the  set  of  functions  from  C  x  { 1,2, ...  A; }  to  I.  Therefore,  for  a  trace 
Q;  €  Ic,ki  we  will  denote  the  single  input  on  channel  c  G  (7  at  time  A:'  <  A:  by  a(c,  k'). 

We  will  also  need  to  talk  about  infinite  traces  of  inputs.  For  this  we  use  the  analogous 
notation  /c,oo,  which  is  short  hand  for  the  set  of  functions  from  (7  x  IN"''  to  / 

Similarly,  we  will  denote  the  set  of  output  traces  of  length  k  by  Oc,k  and  the  set  of  infinite 
output  traces  by  0c,oo-  Naturally,  for  an  output  trace  13,  /?(c,  k)  represents  the  output  on 
channel  c  at  time  k. 

There  will  be  situations  when  we  want  to  talk  about  vectors  or  traces  of  inputs  or  outputs 
on  some  subset  of  the  channels,  5  C  (7.  In  such  cases  we  will  use  the  natural  generalizations 
of  the  above  notations,  viz,  /[5],  Is,k,  Is,oo,  etc.. 

ENVIRONMENTAL  CONSTRAINTS  Any  given  agent  will  be  able  to  see  the  inputs 
and  outputs  on  a  subset  of  the  channels.  We  make  this  precise  by  “restricting”  vectors  and 
traces  to  subsets  of  C.  Given  an  input  vector  a  G  I[C]  and  a  set  of  channels  5  C  (7,  we 
define  a  \  S  ^  /[^J  to  be  the  input  vector  on  channels  in  S  such  that  a  \  S{c)  —  a{c)  for  all 
cG^. 
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Similarly,  given  an  input  trace  a  G  Ic,k  and  a  set  of  channels  C  C*,  we  define  afS"  G  Is,k 
to  be  the  input  trace  for  channels  in  S  such  that  al5(c,  k')  =  a(c,  k')  for  all  c  G  5  and  all 
k'  <  k. 

We  assume  that  the  set  of  low  channels,  denoted  Z,  is  a  subset  of  C.  Intuitively,  L  is  the 
set  of  channels  that  the  low  environment,  Z,  is  able  to  directly  see.  In  particular,  C  is  able 
to  see  both  the  inputs  and  the  outputs  that  occur  on  channels  in  L. 

In  practice,  there  will  be  some  type  of  physical  or  procedural  constraints  on  the  agent  C  to 
prevent  it  from  directly  viewing  the  inputs  and  outputs  on  channels  in  C  —  Z.  For  example, 
those  channels  may  represent  wires  connected  to  workstations  that  are  used  for  processing 
secret  data.  In  this  case,  the  secret  workstations  might  be  located  inside  a  locked  and  guarded 
room.  In  addition,  periodic  checks  of  the  wires  might  be  made  to  ensure  that  there  are  no 
wiretaps  on  them.  In  this  way,  £  is  prevented  from  directly  viewing  the  data  that  passes 
over  the  channels  in  (7  —  Z. 

On  the  other  hand,  we  place  no  constraints  on  the  set  of  channels  that  V.  is  able  to  see.  In 
particular,  we  make  the  worst-case  assumption  that  71  is  able  to  see  all  inputs  and  outputs 
on  all  channels. 

The  above  considerations  are  consistent  with  what  we’ve  called  the  “Secure  Environment 
Assumption”  in  previous  work  [Gra92,  GS92].  In  the  present  paper,  this  assumption  is  made 
precise  in  terms  of  our  definition  of  the  adversary  to  be  given  next. 

THE  ADVERSARY  As  discussed  above,  in  Halpern  and  Tuttle’s  framework,  all  nonprob- 
abilistic  choices  are  factored  out  of  the  execution  of  the  system  by  fixing  an  adversary  at 
the  start  of  execution.  To  make  use  of  this  framework,  we  must  define  the  set  of  possible 
adversaries  from  which  this  choice  is  made. 

The  “adversary”  in  our  application  is  the  pair  of  agents,  Ti  and  £,  that  are  attempting  to 
send  data  from  the  high  environment  across  the  system  S  to  the  low  environment.  To  be 
fully  general,  we  model  these  agents  as  mixed  strategies  (in  the  game-theoretic  sense).  That 
is,  at  each  point  in  the  execution  of  the  system  the  strategy  gives  the  probability  distribution 
over  the  set  of  next  possible  inputs,  conditioned  on  the  history  up  to  the  current  point.  In 
the  next  section,  we  present  an  example  to  motivate  the  need  for  such  generality.  Before 
doing  that,  we  make  the  adversary  precise  with  the  following  two  definitions. 
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Definition  2.1  An  adversary  is  a  conditional  probability  function,  A{a  |  a,(d,k).  Here 
a  ^  I[C]  and  k  is  some  time  such  that  there  is  a  time  k'  with  k  <  k'  <  oo,  and  a  €  Ic,k>  and 
/?  G  Oc,k'-  (The  k  indicates  that  the  probability  of  a  is  conditional  only  on  the  restriction  of 
a  and  /?  to  k.)  Intuitively,  the  adversary  describes  the  environment’s  conditional  distribution 
on  the  next  input  vector,  given  the  previous  history  of  inputs  and  outputs.  □ 

Later  in  this  section,  we  describe  how  a  given  adversary  A  and  the  description  of  a  particular 
system,  S,  are  used  to  construct  the  corresponding  computation  tree  T^. 

Definition  2.2  We  say  that  an  adversary  A  satisfies  the  Secure  Environment  Assumption 
with  respect  to  a  set  of  channels  L  C  (7  iff  there  exists  a  pair  of  conditional  probability 
functions  H  and  C  such  that  for  all  a  G  /[C],  A:  G  IN''",  all  a  G  Ic,k-,  and  all  jd  G  Oc,ki 

A{a\a,^,k)=H{a\{C  -L)\oc,^,k)  •  C{a\L  \a\L,ld\L,k) 

(where  •  denotes  real  multiplication).  □ 

The  Secure  Environment  Assumption  can  be  intuitively  understood  as  saying  that  the  input 
on  channels  in  {C  —  L)  at  time  k  is  (conditionally)  statistically  independent  of  the  input  on 
channels  in  L  at  time  A:,  and  the  input  on  channels  in  L  at  time  k  depends  only  on  previous 
inputs  and  outputs  on  channels  in  L.  For  the  remainder  of  this  paper,  we  will  assume 
that  all  adversaries  from  which  the  initial  choice  is  made  satisfy  the  Secure  Environment 
Assumption. 

Since  there  is  one  tree  for  each  possible  adversary,  we  can  think  of  the  set  of  trees  as  being 
indexed  by  the  adversaries.  Therefore,  we  will  often  write  etc. 

It  is  clear  that  for  an  adversary  A  that  satisfies  the  Secure  Environment  Assumption  (wrt  L), 
the  conditional  probability  functions  H  and  C  that  must  exist  are,  in  fact,  unique.  Further, 
given  H  and  £,  there  is  a  unique  adversary.  A,  for  which  H  and  C  are  the  probability 
functions  that  satisfy  the  corresponding  constraint.  We  will  therefore  sometimes  write  T-h.c, 
Tn',c',  etc.  when  we  want  to  refer  to  the  parts  of  the  adversary  individually. 

Note  that  our  definition  of  an  adversary  is  not  meant  to  be  as  general  as  the  adversary 
discussed  by  Halpern  and  Tuttle.  (In  fact,  Halpern  and  Tuttle  give  no  structure  at  all 
to  their  adversary.)  Rather,  our  adversary  is  application-specific;  in  particular,  it  is  for 
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reasoning  about  multilevel  security  of  probabilistic  systems  and  is  not  designed  to  be  used 
outside  that  domain. 

On  the  other  hand,  this  particular  adversary  represents  a  novel  application  of  Halpern  and 
Tuttle’s  framework.  In  their  examples,  the  adversary  represents  one  or  both  of  two  possible 
things: 

•  the  initial  input  to  the  system;  and 

•  the  schedule  according  to  which  certain  events  (e.g.,  processors  taking  steps)  occur. 

In  contrast,  our  adversary  does  not  represent  a  given  input  to  the  system.  Rather,  it  repre¬ 
sents  a  mixed  strategy  for  choosing  the  inputs  to  the  system.  In  some  sense,  we  can  think 
of  this  as  a  generalization  on  the  first  item  above;  however,  our  application  still  fits  within 
the  framework  set  out  by  Halpern  and  Tuttle. 

THE  STATE  OF  THE  SYSTEM  At  any  given  point,  P,  in  any  given  computation  tree, 
T^,  there  should  be  a  well-defined  state  of  the  system.  For  our  purposes,  the  state  includes 
the  following  information. 

1.  All  inputs  and  outputs  that  have  occurred  on  all  channels  up  to  the  current  time. 

2.  In  [HT93],  Halpern  and  Tuttle  make  the  assumption  that  all  points  in  all  trees  are 
unique.  They  suggest  (and  we  adopt)  the  following  idea  to  ensure  that  this  is  true. 
The  state  encodes  the  adversary.  That  is,  all  nodes  in  tree  Ty^  encode  A.  Note  that 
we  do  not  assume  that  any  given  agent  knows  the  adversary;  just  that  it  is  somehow 
encoded  in  the  state.  We  can  think  of  the  high  part  of  the  adversary,  H,  as  being 
encoded  in  the  high  environment  and  the  low  part,  C,  as  being  encoded  in  the  low 
environment. 

3.  Typically,  there  are  additional  components  of  the  global  state  representing  the  internal 
state  of  S.  For  example,  in  describing  S,  it  is  often  convenient  to  use  internal  state 
variables.  The  state  of  these  variables  can  be  thought  of  as  a  vector  of  values,  one 
value  for  each  state  variable.  Thus,  the  internal  state,  when  it  exists,  will  be  denoted 
c,  and  the  history  of  internal  states  will  be  denoted  7. 
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COMPUTATION  TREES  Now  that  we  have  set  out  the  possible  states  of  the  system 
(i.e.,  the  points  of  computations),  we  can  talk  about  the  construction  of  the  computation 
trees. 

For  each  reachable  point,  P,  we  assume  that  E’s  probability  distribution  on  outputs  is  given. 

For  example,  this  can  be  given  by  a  conditional  probability  distribution,  0{b,c  \ 

where  c  is  the  vector  representing  values  of  all  internal  state  variables  (i.e.,  the  internal 

system  state)  at  time  A:  +  1,  b  E  0\C\  is  the  vector  of  outputs  produced  by  the  system  at 

A:  +  1,  and  q,/3,7  give  the  history  through  k  of  inputs,  outputs,  and  internal  state  values, 

respectively. 

Given  0(6,  c  |  0,^,7,  A;)  and  the  adversary,  A  we  can  construct  the  corresponding  computa¬ 
tion  tree  by  starting  with  the  initial  state  of  the  system  (i.e.,  the  point  at  the  root  of  the  tree 
with  empty  histories  of  inputs,  outputs,  etc.)  and  iteratively  extending  points  as  follows. 

Let  P  be  a  point  in  the  tree  with  internal  system  history  7,  input  history  a,  and  output 
history  We  will  make  P'  a  child  of  P  iff 

1.  P'  is  formed  from  P  by  modifying  the  internal  system  state  to  c  and  extending  P’s 
input  history  (output  history,  resp.)  with  a  (6,  resp.);  and 

2.  both  0{b,c  I  a,  ;5,7,  A;)  and  A(a  \  a,^,k)  are  positive. 

In  such  cases,  we  label  the  arc  from  P  to  P'  with  0{b,  c\a,/3, 7,  k)  •  A{a  \  a,  13,  k),  i.e.,  the 
system,  E,  and  the  environment,  A,  make  their  choices  independently. 

RUNS  OF  THE  SYSTEM  A  run  of  the  system  is  an  infinite  sequence  of  states  along  a 
path  in  one  of  the  computation  trees.  When  we  want  to  talk  about  the  particular  run,  p, 
and  time,  k,  at  which  a  point  P  occurs,  we  will  denote  the  point  by  the  pair  (p,  k).  Further, 
if  we  wish  to  talk  about  the  various  components  of  the  run,  i.e.,  the  trace  of  the  inputs,  a, 
outputs,  /3,  or  other  variables,  7,  we  will  denote  the  run  by  (0,^,7)  and  denote  the  point, 
P,  by  (q,^,7,A:). 

For  a  given  tree,  T,  we  denote  the  set  of  runs  (i.e.,  infinite  sequences  of  states),  formed  by 
tracing  a  path  from  the  root,  by  runs{T). 

For  security  applications  we  are  concerned  with  information  flow  into  and  out  of  the  system 
rather  than  with  information  in  the  system  per  se.  Thus,  though  our  system  model  is 
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adequate  to  represent  internal  states  and  traces  thereof,  in  subsequent  sections  it  will  be 
adequate  to  represent  systems  entirely  in  terms  of  input  and  output.  For  example,  system 
behavior  at  time  k  can  be  represented  by  ^0{b  \  rather  than  ‘(9(6,  c  |  a,P^j,ky. 

3  Syntax 

In  this  section  we  set  out  our  formal  language  and  use  it  to  describe  two  simple  systems. 
Then  we  give  the  axioms  and  rules  of  our  logic. 

3.1  Formation  Rules 

To  describe  the  operation  of  the  system  under  consideration  (viz,  S),  we  use  a  variant  of 
Lamport’s  Raw  Temporal  Logic  of  Actions  (RTLA)  [Lam91].®  The  primary  difference  is  that 
we  add  a  modal  operator  Pr, •((/?)  that  allows  us  to  specify  and  reason  about  the  probabilistic 
behavior  of  the  system. 

From  the  previous  section,  we  assume  the  following  basic  sets  of  symbols,  all  nonempty:  C, 
/,  0,  and  M.  Members  of  IR  will  have  the  usual  representation — e.g.,  43.5  €  H. 

We  will  also  be  talking  about  the  subjects  (or  agents)  of  the  system.  Formally,  a  subject, 
5  C  (7,  is  identified  with  the  process’s  view  of  the  system,  i.e.  the  set  of  channels  on  which 
it  can  see  the  inputs  and  outputs. 

Formulae  in  the  language  are  built  up  according  to  the  following  rules. 

•  constants  from  the  set  of  basic  symbols  are  terms. 

•  state  variables  (representing  the  value  of  that  variable  in  the  current  state)  are  terms. 

Among  the  state  variables,  there  are  two  reserved  for  each  communication  channel. 

For  each  c  €  (7,  we  have  a  state  variable  c,„  that  takes  values  from  I,  and  another 

state  variable  Cgui  that  taJces  values  from  O.  Note  that,  implicitly,  inputs  are  from  the 

covert  senders  and  receivers  into  the  system  (E)  and  outputs  are  from  the  system  to  the 

covert  senders  and  receivers.  This  is  because  S  is  the  system  under  consideration  (i.e., 

with  respect  to  which  we  are  reasoning  about  security).  We  have  no  mechanism  (and 

^Roughly  speaking,  Raw  Temporal  Logic  of  Actions  (RTLA)  is  the  same  as  Lamport’s  Temporal  Logic 
of  Actions  (TLA)  without  the  treatment  of  stuttering  [Lam91].  Since  we  are  not,  in  this  paper,  concerned 
with  refinement,  we  omit  the  considerations  of  stuttering  and  use  RTLA. 
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no  need)  to  specify  communication  between  agents  not  including  the  system  under 
consideration. 

•  primed  state  variables  (e.g.,  c'„)  are  terms.  (These  represent  the  value  of  the  variable 
in  the  next  state.) 

•  We  use  standard  operators  among  terms  (e.g.,  +  and  •  for  addition  and  multiplication, 
respectively),  with  parentheses  for  grouping  subterms,  to  form  composite  terms. 

•  an  atomic  predicate  is  an  equation  or  inequality  among  terms  not  containing  primed 
state  variables. 

•  an  atomic  action  is  an  equation  or  inequality  among  terms  (possibly  including  primed 
as  well  as  unprimed  state  variables).  (Note  that  all  predicates  are  actions.) 

•  for  any  action,  (p,  and  for  any  subject  S  Q  C,  Prs{<p)  is  a  real- valued  term  (representing 
the  subjective  probability  that  S  assigns  to  the  formula  p). 

•  For  any  predicate,  is  a  temporal  formula. 

•  For  any  action  or  temporal  formula  v?,  Otp  is  a  temporal  formula  (to  be  read  intuitively 
as  always  (p). 

•  We  build  up  composite  predicates,  actions,  and  temporal  formulae,  resp.,  in  the  usual 
recursive  fashion  using  A,  V,  and 

Now,  to  specify  and  reason  about  our  security  properties  of  interest,  we  add  three  finite 
sets  of  modal  operators  on  formulae:  Ki,...,K„,  and  i2i,...,i2„,  represent¬ 

ing  knowledge  of  a  (relatively)  weak  adversary,  knowledge  of  a  powerful  adversary,  and 
permitted-knowledge  respectively  for  each  subject  (represented  by  the  subscript  of  the  op¬ 
erator).  Therefore,  we  add  the  following  additional  formation  rules  to  our  syntax. 

•  For  any  action  (temporal  formula,  resp.)  p,  and  for  any  subject  5  C  C,  ks{p)  (rep¬ 
resenting  that  the  weak  adversary  S  knows  </?),  K5((y?)  (representing  that  the  powerful 
adversary  S  knows  p)  and  Rs{p)  (representing  that  S  has  permitted  knowledge  of  p) 
are  actions  (temporal  formulae,  resp.). 
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Later  in  the  paper,  we  will  make  the  meaning  of  these  three  operators  precise.  For  now,  we 
merely  mention  that  the  weak-adversary  knowledge  operators  (ks)  will  be  given  the  standard 
semantics  (e.g.,  as  in  [HT93]);  the  powerful-adversary  knowledge  operators  (K5)  will  be  given 
semantics  that  imply  greater  knowledge  on  the  part  of  the  subject  (viz,  knowledge  of  the 
probability  of  certain  future  events). 

3.2  Examples 

We  now  give  two  simple  examples  of  how  to  describe  systems  in  our  language.  Ultimately, 
we  will  have  sufficient  formal  machinery  to  show  that  one  of  these  systems  is  secure  and  the 
other  is  not;  however,  here  we  simply  set  them  out  formally.  These  descriptions  are  meant 
to  give  the  reader  an  intuitive  feel  for  the  meaning  of  expressions  in  the  language.  Precise 
meanings  will  be  given  in  §4.  Also,  the  second  of  these  examples  will  motivate  our  choice  of 
modeling  adversaries  as  strategies. 

Example  3.1  The  first  example  is  a  simple  encryption  box  that  uses  a  “one-time  pad” 
[Den82].  It  has  two  channels,  high  and  low.  At  each  tick  of  the  system  clock,  it  inputs  a  0  or 
1  on  the  high  channel  and  outputs  a  0  or  1  on  the  low  channel.  The  low  output  is  computed 
by  taking  the  “exclusive  or”  (denoted  0)  of  the  high  input  and  a  randomly  generated  bit.  It 
is  well  known  that  this  results  in  an  output  stream  that  is  uniformly  distributed.  Therefore, 
we  can  describe  this  system  as  follows. 

Let  C  =  {h,l},  I  =  {0, 1},  and  0  =  {0, 1}.  Then,  the  system  is  specified  by  the  following 
formula. 

D  =0)  =  Pr(C  =  l)  =  0.5) 

In  this  formula,  is  a  state  variable  representing  the  output  on  the  low  channel,  1.  There¬ 
fore,  is  the  output  on  I  at  the  next  time.  Further,  =  0)  denotes  the  probability 

that  the  output  on  /  is  a  0  at  the  next  time.  Hence,  the  entire  formula  says  that  at  all  times, 
the  probability  of  S  producing  a  one  (1)  on  the  next  clock  tick  is  equal  to  the  probability 
of  producing  a  zero  (0),  which  is  equal  to  0.5.  Note  that  we  have  not  specified  inputs  per  se 
since  these  constitute  environment  behavior  rather  than  system  behavior. 

□ 
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Example  3.2  The  second  example  is  an  insecure  version  of  the  simple  encryption  box.  This 
system  was  first  described  by  Shannon  in  [Sha58]. 

As  in  the  first  example,  at  each  tick  S  computes  the  “exclusive  or”  of  the  current  high  input 
and  a  randomly  generated  bit  and  outputs  that  value  on  the  low  channel.  However,  in  this 
system,  the  randomly  generated  bit  used  at  any  given  tick  is  actually  generated  and  output 
on  the  high  output  channel  during  the  previous  tick  of  the  clock. 

This  can  be  expressed  in  our  formalism  as  follows.  Let  C  =  {h,  /},  /  =  {0, 1},  and  0  =  {0, 1}. 
The  following  formula  specifies  the  system. 

°{Pr{K,t  =  0)  =  PriK,,  =  1)  =  0.5  A  C  =  Kui  ©  h'J 

Note  that  in  the  second  conjunct,  hout  is  unprimed,  indicating  that  the  output  on  I  at  the 
next  time  is  the  “exclusive  or”  of  the  current  output  on  h  with  the  next  input  on  h. 

Now  note  that  if  the  high  agent  ignores  its  output,  then  this  system  acts  exactly  as  the 
system  from  the  previous  example  (and  can  be  used  for  perfect  encryption).  In  particular, 
suppose  we  were  to  model  an  adversary  as  an  input  string — the  input  to  be  provided  by  the 
high  agent.  Then,  it  is  easy  to  prove  that  for  any  adversary  (i.e.,  any  high  input  string)  fixed 
prior  to  the  start  of  execution,  the  output  to  low  will  be  uniformly  distributed  and,  in  fact, 
will  contain  no  information  about  the  high  input  string. 

However,  the  bit  that  will  be  used  as  the  one-time  pad  at  time  t  is  available  to  the  high  agent 
at  time  t  —  1.  Therefore,  (due  to  the  algebraic  properties  of  “exclusive  or”,  viz,  x®x0j/  =  j/) 
the  high  agent  can  use  this  information  to  counteract  the  encryption.  In  particular,  the  high 
agent  can  employ  a  (game-theoretic)  strategy  to  send  any  information  it  desires  across  the 
system  to  the  low  agent. 

For  example,  suppose  the  high  agent  wishes  to  send  a  sequence  of  bits,  61,62,....  We’ll 
denote  the  high  input  (resp.,  output)  at  time  k  by  hin{k)  (resp.,  houtik)).  The  appropriate 
strategy  for  the  high  agent  is  as  follows. 

The  high  agent  chooses  its  input  for  time  A;  -|- 1  as  6,„(A:  -f  1)  =  hout{k)  ©  6*,. 

Thus,  the  output  to  low  at  time  k  +  1,  denoted  lout{k  +  1)  is  computed  as  follows. 

hut{k  -f  1)  =  houtik)  ©  hin{k  +  1)  [by  the  system  description] 
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{k)eh 

out  (k)  ©  bk 

=  hk 


[by  the  high  strategy] 
[by  the  properties  of  ©] 


Thus,  by  employing  the  correct  strategy,  the  high  agent  can  noiselessly  transmit  an  arbitrary 
message  over  E  to  the  low  agent.  This,  of  course,  motivates  our  choice  of  strategies  as  the 
adversary,  rather  than,  e.g.,  input  strings. 

□ 


We  now  have  some  sense  of  the  formal  language,  with  the  exception  of  the  modal  operators 
ks,  Ks,  and  Rg.  As  previously  mentioned,  these  operators  will  be  used  to  formalize  the 
security  property  that  interests  us;  so,  we  will  illustrate  their  use  in  a  later  section.  First,  we 
will  describe  the  logical  axioms  and  inference  rules  that  are  used  to  prove  properties  about 
systems. 

3.3  The  Logic 

We  now  give  the  axioms  of  our  logic.  In  the  following,  we  will  use  V’  refer  to 

formulae  of  our  language. 

Propositional  Reasoning  All  instances  of  tautologies  of  propostional  logic. 

Temporal  Reasoning  The  following  are  standard  axioms  for  temporal  reasoning  about 
discrete  systems.  The  logic  they  constitute  is  generally  called  S4.3£>um  or  sometimes  D. 
(See  [Gol92]  for  details.  Note  also  that  these  are  the  formulae  Abadi  uses  to  axiomatize 
Lamport’s  TLA  [Aba90].)  We  have  labelled  the  axioms  with  their  historical  names. 
Let  (/?  and  ip  be  formulae  of  our  language. 

K  □((/?  — >  ^  (□<^  Oip) 

4  □(/? 

D  Op 

L  □((^  A  Op  — >  V  □(^  A  O'tl;  — >  p) 

Z  □(□y?  —^p)—^  (□<>(/?  ^  □(/?) 
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‘0(^’  can  be  interpreted  roughly  as  saying  that  at  some  point  9?  is  true.  Formally, 
it  is  viewed  as  notational  shorthand:  for  all  formulae  93,  <>9?  =  K  basically 

guarantees  that  the  temporal  operator  respects  modus  ponens.  Each  of  the  other 
axioms  captures  a  feature  of  time  that  we  desire.  4  gets  us  transitivity.  D  guarantees 
that  we  don’t  run  out  of  time  points  (seriality).  L  guarantees  that  all  points  in  time 
are  connected.  And,  Z  guarantees  that  time  is  discrete.  (Between  any  two  points  in 
time  there  are  at  most  finitely  many  other  points.) 

Real  Number  Axioms  Standard  field  and  order  axioms  for  the  real  numbers  (to  apply 
to  members  of  IR  and  function  terms  with  range  ]R.)  We  will  not  enumerate  these 
axioms.  (See  any  elementary  real  analysis  book  for  enumeration,  e.g.,  [Mar74]  or 
[Rud].) 

Epistemic  Reasoning  The  (nonredundant)  axioms  of  the  Lewis  system  S5.  (cf.  [CheSO]  or 
[G0I92])  apply  to  the  strong  knowledge  operators  (K,),  the  weak  knowledge  operators 
{ki),  and  the  permitted-knowledge  operators  (i?,).  We  state  them  only  for  the  (strong) 
knowledge  operators.  As  for  temporal  axioms,  we  give  the  axioms  their  historical 
names.  Let  S  be  a  subject,  and  let  9?  and  xj)  be  formulae  of  our  language. 

K  [K5(9?)  a  K5(9?  —>  xl>)]  Ksii^)  (Knowledge  respects  modus  ponens.) 

T  Ks(9?)  9?  (What  one  knows  is  true.) 

5  -'Ks((p)  —>■  Ks-’Ksitp)  (If  you  don’t  know  something,  then  you  know  that  you 
don’t  know  it.) 

We  also  have  two  axioms  for  relating  weak  knowledge  to  permitted  knowledge  and 
permitted  knowledge  to  strong  knowledge. 

kR  ks((p)  — »  Rs{<p) 

RK  Rs{<p)  ^  Ks{^) 

Random  Variable  Axioms  The  standard  requirements  for  random  variables  (in  the  prob¬ 
ability  theoretic  sense). 

PM  (Positive  Measure)  for  any  formula,  (f,  and  any  subject,  S,  Prs{^)  >  0  (The 
probability  of  any  event  is  greater  than  or  equal  to  zero.) 
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NM  (Normalized  Measure)  for  any  channel,  c,  and  any  subject,  S, 

IDog/  Pf's{cin  =  i)  =  1  (The  probability  of  all  possibilities  sums  to  one.) 

^b€0  P'^si^out  =  o)  =  1 

Input/Output  Axioms  for  knowledge  and  permitted-knowledge  of  inputs  and  outputs.  Let 

5  be  a  subject,  let  c  €  5  be  a  channel  that  is  visible  to  S,  and  let  a  €  7  be  an  input, 

6  €  0  be  an  output,  and  r  G  IR  be  a  real  number. 

KO  Prs(c;„,  =  o)  =  r  Ks{PrsK,^  =  o)  =  r) 

RI  Prs{c\,  =  i)  =  r-^  RsiPrsic'i^  =  i)  =  r) 

Intuitively,  KO  say  that  a  subject  knows  the  distribution  on  its  own  outputs  conditioned  on 
the  previous  history  of  inputs  and  outputs  that  it  has  seen.  Similarly,  a  subject  knows  the 
distribution  on  its  own  inputs  conditioned  on  the  previous  history  of  inputs  and  outputs  it 
ha.s  seen.  However,  we  need  no  corresponding  axiom  KI  since  it  follows  trivially  from  RI 
and  RK.  From  theorems  KI  and  KO  we  can  inductively  show  that  every  subject  knows  the 
probability  of  any  event  that  it  can  see  in  finite  time.  RI  says  that  a  subject  is  permitted 
to  know  the  conditional  distribution  on  its  own  inputs.  But,  a  subject  is  permitted  to 
know  the  conditional  distribution  on  its  own  outputs  only  if  the  system  is  secure — e.g.,  for 
a  low  subject,  only  if  knowing  that  distribution  does  not  reveal  any  information  about  the 
distribution  on  high  inputs.  The  absence  of  an  axiom  RO,  corresponding  to  KO,  is  what 
syntactically  captures  this. 

The  above  are  all  of  our  axioms.  We  now  give  the  rules  of  our  logic,  which  are  all  standard. 
MP  (Modus  Ponens)  From  cp  and  (p  ip  infer  ip. 

Nec  (Necessitation)  This  rule  applies  to  all  of  the  modal  operators  we  have  introduced:  □, 
K5,  ks,  and  Rs.  (It  is  called  ‘necessitation’  because  it  was  originally  applied  to  a 
necessity  operator.)  We  set  it  out  for  □  only.  From  h  (p  infer  h  □(/? 

Note  that  in  the  above,  ‘h  (p'  indicates  a  derivation  of  (p  from  the  axioms  alone,  rather  than 
from  a  set  of  premises.  (Derivations  will  be  formally  defined  below.)  Thus,  in  the  case  of 
knowledge  (strong  or  weak)  for  example,  Nec  says  that  if  (/?  is  a  theorem  (derivable  without 
any  premises)  then  all  subjects  know  (p. 

We  now  have  sufficient  machinery  to  give  a  characterization  of  a  formal  derivation. 
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Definition  3.3  Let  F  be  a  finite  set  of  formulae  of  our  language.  A  finite  sequence  of 
formulae  (^2,  y’sj  •  •  •  5  V’n  is  called  a  derivation  (of  ifn  from  F)  iff  each  ifk  {k  = 
satisfies  one  of  the  following: 

•  €  F 

•  ipk  is  an  axiom. 

•  ipk  follows  from  some  theorem  by  Nec. 

•  For  some  i^j  <  k,  (pk  results  from  y?,  and  (pj  by  MP. 

We  write  T  h  cp'  to  indicate  a  derivation  of  (p  from  F,  and  we  write  ‘h  <p^  to  indicate  a 
derivation  of  >p  from  the  axioms  alone.  □ 

This  completes  our  statement  of  the  formal  system. 


4  Semantics 


In  the  last  section  we  presented  a  syntactic  system.  So  far  we  have  only  intuitive  meanings 
to  attach  to  this  formalism.  In  this  section  we  provide  semantics  for  our  system  in  terms  of 
the  Halpern- Tuttle  framework  and  our  application-specific  model  set  out  in  §2. 


4.1  Semantic  Model 


A  model  M  is  a  tuple  of  the  form: 


powerful  weak 
'^\V{C)\  1 


weak 

■  •  ’  ^|7’(C)|5 


^1,  .  .  . 


) 


Here,  H  and  its  operations  and  ordering  relation  gives  us  the  real  numbers;  W  is  the  set  of 
worlds  (i.e.,  global  states);  T  is  the  set  of  labeled  computation  trees  (with  nodes  from  FF); 
C,  /,  and  O  are  the  sets  of  channels,  possible  inputs,  and  possible  outputs,  respectively;  v 
is  the  assignment  function,  which  assigns  semantic  values  to  syntactic  expressions  at  each 
world;  (values  of  u  at  a  particular  world  P,  will  be  indicated  by  the  projection  ‘up’);  the 
^powerful  ^weak  knowledge  accessibility  relations,  one  each  for  each  subject  S;  and 

the  are  permitted-knowledge  accessibility  relations,  also  one  for  each  subject.  In  the 
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remainder  of  this  paper  we  will  generally  denote  the  accessibility  relations  corresponding  to 
subject  S  by  ‘ and  Ss'-  These  will  each  be  further  explained  when  we  come 
to  the  assignment  function. 

In  assigning  meaning  to  our  language,  it  is  of  fundamental  importance  to  cussociate  a  proba¬ 
bility  space  with  each  labeled  computation  tree.  In  particular,  for  each  labeled  computation 
tree  Ta  we  will  construct  a  sample  space  of  runs,  TZa,  an  event  space,  Xa  (i-e.,  those  subsets 
of  71a  to  which  a  probability  can  be  assigned)  and  a  probability  measure  fiA  that  assigns 
probabilities  to  members  of  Xa- 

Our  construction  of  this  probability  space  is  quite  natural  and  standard  (see,  e.g.,  [Sei92]  as 
well  as  [HT93]  for  two  instances).  We  will  not  go  into  detail  explaining  the  basic  concepts 
of  probability  and  measure  theory  here  (cf.  [HalSO]  or  [Shi84]). 

Definition  4.1  For  a  labeled  computation  tree  Ta,  the  associated  sample  space  TZa  is  the 
set  of  all  infinite  paths  starting  from  the  root  of  Ta- 

The  set  e  C  TZa,  is  called  a  generator  iff  it  consists  of  the  set  of  all  traces  with  some 
common  finite  prefix.  The  generators  are  the  probability-theoretic  events  corresponding  to 
finite  traces.  We  can  now  define  the  event  space,  Xa,  to  be  the  (unique)  field  of  sets 
generated  by  the  set  of  all  generators  (i.e.,  Xa  is  the  smallest  subset  of  V{7Za)  that  contains 
all  of  the  generators  and  is  closed  under  countable  union  and  complementation). 

Suppose  e  is  a  generator  corresponding  to  the  finite  prefix  given  by  {p,  k).  Then,  the  prob¬ 
ability  measure,  pA,  is  defined  for  e  as  the  product  of  the  transition  probabilities  from  the 
root  of  the  tree,  along  the  path  p,  up  to  time  k.  Further,  there  is  a  unique  extension  of  pA 
.  to  the  entire  event  space  [HalSO].  D 

4.2  Assignment  Function 

For  a  given  point,  P,  we  will  assign  truth  values  to  temporal  formulae  (p  at  this  point.  In 
addition,  we  assign  values  to  variables,  for  example  the  input  on  a  channel,  at  this  point. 
The  assignment  function  that  does  both  of  these  is  denoted  by  vp. 

To  define  vp,  we  will  need  to  assign  truth  values  to  action  and  temporal  formulae.  Therefore 
we  will  also  define  functions  V(p^^p^)  (where  Pi  and  Pj  are  points)  and  Vp  (where  p  is  &  run) 
to  assign  truth  values  to  action  formulae  over  a  pair  of  points  and  temporal  formulae  on  a 
run,  respectively. 
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We  define  vp,  ^(Pj.Pj),  and  Vp  mutually  recursively  below.  First  we  present  some  additional 
notation. 

Since  nodes  are  unique  even  across  trees,  for  a  given  node  P,  there  is  no  ambiguity  in  referring 
to  “the  tree  that  contains  P”.  In  the  following,  we  will  use  tree{P)  to  denote  that  tree. 

We  use  the  notation  succ{P)  to  denote  the  set  of  nodes  that  succeed  P  in  tree{P). 

We  use  the  notation  extensions{P)  to  denote  the  set  of  infinite  sequences  of  states  starting 
at  P  in  tree(P). 

As  discussed  in  [HT93],  to  each  subject.  S',  and  point,  P,  we  need  to  associate  a  sample  space, 
Ss,p.  Each  such  sample  space  will  be  a  set  of  points  from  tree{P).  Intuitively,  these  are  the 
points  (within  the  tree  that  contains  the  current  execution)  that  the  subject  S  considers 
possible.  We  will  set  out  these  sample  spaces  below.  For  the  time  being,  we  simply  make 
use  of  the  notation  Ss,p  to  refer  to  them. 

We  will  be  rather  abusive  in  the  use  of  our  probability  measures  In  particular,  when  we 
have  a  finite  set  of  points,  x,  we  will  write  to  denote  the  probability  (as  assigned  by 

I^-a)  of  passing  through  one  of  the  points  in  x.  Technically,  this  is  wrong,  since  is  defined 
for  (certain)  sets  of  runs;  not  for  sets  of  points.  However,  the  mapping  between  the  two 
is  extremely  natural;  the  set  of  runs  correspondings  to  a  point  is  the  set  of  runs  that  pass 
through  that  point.  Further,  by  the  construction  of  our  probability  spaces,  all  sets  of  runs 
corresponding  to  finite  sets  of  points  are  measureable.  Therefore,  there  is  no  danger  in  this 
abuse  of  notation  and  it  greatly  simplifies  our  presentation. 

As  is  standard  (see,  e.g.,  [HT93]),  we  will  be  using  accessibility  relations — one  for  each 
subject — on  points  to  give  semantics  to  our  three  knowledge  operators.  We  define  these 
relations  below.  For  the  time  being,  we  simply  make  use  of  the  notation  to  refer  to 

the  powerful-adversary  knowledge  accessibility  relation,  to  refer  to  the  weak- adversary 
knowledge  accessibility  relation,  and  6s  to  refer  to  the  permitted-knowledge  accessibility 
relation. 

We  now  define  vp,  U(Pi,P2)5  a-^d  Vp.  Let  P  be  a  point  at  time  k  in  the  execution  p  =  (a,/?, 7) 
in  computation  tree  T^. 

•  Numbers  are  assigned  to  number  names. 

•  Members  of  I  and  O  are  assigned  to  their  syntactic  identifiers. 
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•  For  any  channel  c  E  C, 


vp{cin)  =  a{c,k) 


•  For  any  channel  c  E  C, 


Vp{Cout)  =  k) 


•  For  any  variable  name,  X,  excluding  channel  variables  (such  as  c,„  or  Cout) 

vp(X)t^{X,k) 


•  To  assign  truth  values  to  actions,  we  need  to  assign  values  to  terms  at  pairs  of  points. 
Constants  do  not  change  their  values  when  we  move  to  pairs  of  points.  However, 
primed  and  unprimed  variables  are  evaluated  differently.  For  any  state  variable,  X, 
and  any  pair  of  points  (^1,^2)? 

=  ’’niX) 


In  contrast, 

nPi<P2)i‘P)  = '^pApM 

where  upj  \Pi{}p)  follows  up,  except  that  all  primed  terms  are  assigned  according  to  up^. 

•  Composite  terms  are  assigned  values  at  a  point  and  at  a  pair  of  points  in  the  natural 
way.  For  example, 

up(x  +  y)  =  up(x)  +  up(y) 

and 

+  y)  s  >'(p..p,)(Jf)  +  '<(p../^)(y) 

•  Similary,  predicates  and  action  formulae  are  assigned  truth  values  at  a  point  and  at  a 
pair  of  points,  respectively,  in  the  natural  way.  For  example. 


'^p{X  <Y)  =  true  iff  vp{X)  <  vp{Y) 


and 


V(Pi,P2){<f^^)=  true  iff  V(^p^^p^){<p)  =  true  and  U(p,,p,)(^)  =  true 
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•  An  action  formula,  is  true  at  a  point,  P,  iff  it  is  true  for  all  pairs  of  points  emanating 
from  P.  More  precisely, 

=  true  iff  VP'  €  succ{P),  =  true 

(Since  we  have  not  needed  to  include  quantification  in  our  language  we  are  free  to  use 
‘V’  and  ‘3’  as  metalinguistic  shorthand.) 

•  To  interpret  the  probability  of  an  action  (y5  at  a  point  P,  we  will  take  the  set  of  all  pairs 
of  points,  (Pi,P2)  emanating  from  points  in  Ss,p.  Restricting  to  this  set,  we  compute 
the  probability  of  those  pairs  such  that  U(Pj,p2)((^)  evaluates  to  true.  More  precisely, 
for  any  action  formula,  9?,  and  for  any  subject  S  C  C, 

vp(PrsM)  =  liAP)(Ss.pM) 

where 

^s,pip)  =  {P2  I  3Pi  €  Ss,p  A  P2  €  succ(Pi)  A  V{Pi,P2){^)  —  true  } 
and  A{P)  is  the  adversary  corresponding  to  tree{P). 

•  For  any  predicate,  (/?,  and  run,  p, 

Vp{^)  =  Pp(l)((p) 

•  For  any  (action  or  temporal)  formula,  <p,  and  run,  p, 

Vp{U(f)=  true  iff  Vf ,  Up(t)((p)  =  true 

•  A  temporal  formula  is  true  at  a  point  iff  it  is  true  in  all  runs  extending  from  that  point. 
More  precisely,  for  any  temporal  formula,  cp, 

vp{<p)  =  Vp  6  extensions {P),Vp((p) 

•  Composite  action  formulae  and  temporal  formulae  are  assigned  truth  values  at  points 
in  the  natural  way.  For  example, 

vp{(p  A  V’)  =  true  iff  vp(ip)  =  true  and  vp{%l))  =  true 
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•  Our  three  knowledge  operators  are  all  S5  modal  operators  and  are  given  semantics  in 
terms  of  the  accessibility  relations  (on  points)  in  the  standard  way;  viz,  for  powerful- 
adversary  knowledge, 

t;p(Ks(^))  =  true  iff  VP',  P')  =»  vp>{cp)  =  true 

for  weak- adversary  knowledge, 

vp{ks{^))  =  true  iff  VP',  Kf“^(P,P')  =»  vp>{if)  =  true 
and  for  permitted  knowledge, 

vp{Rs{<fi))  =  true  iff  VP',  6s{P,P')  =>  vpi{<fi)  =  true 

To  complete  our  semantics  for  probability  formulas,  we  need  to  choose  the  sample  spaces  Ss,p 
for  each  subject  at  each  point.  Our  approach  is  quite  straightforward.  We  will  choose  Ss,p 
to  be  the  set  of  points  within  tree{P)  that  have  the  same  history  of  inputs  and  outputs  on 
channels  S  as  occur  on  the  path  to  point  P.  More  precisely,  we  have  the  following  definitions. 

Definition  4.2  Let  P  G  C  be  a  subject  and  let  pi  =  (ai,^i,7i)  and  p2  =  (025  (^2;  72)  be  two 
runs  (not  necessarily  in  the  same  tree).  We  say  that  pi  and  p2  have  the  same  S -history  up 
to  time  k  if  and  only  if 

Vi,  1  <i  <  k,  Vc£  S,  a'(c,  i)  =  a(c,  i)  A  /3'(c,  i)  =  jd(c,  i) 

□ 

Definition  4.3  Let  5  G  C  be  a  subject  and  let  Pi  =  (pi,  ki)  and  P2  =  (p2,  k2)  be  two  points 
(not  necessarily  in  the  same  tree).  We  say  that  Pi  and  P2  have  the  same  S -history  if  and 
only  if  the  following  two  conditions  hold. 

1.  ki  =  k2. 

2.  pi  and  p2  have  the  same  5-history  up  to  time  ki. 


□ 
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Definition  4.4  Let  5  G  (7  be  a  subject  and  P  be  a  point;  the  sample  space  for  S  at  point 
P  is  given  by 


Ss,p  =  {  P^  I  tree{P')  =  tree{P)  A  P'  and  P  have  the  same  5-history  } 


□ 

In  a  more  general  setting,  we  would  also  want  to  consider  the  possibility  that  a  subject  5 
has  internal  state  variables  and  could  use  these  to  make  finer  distinctions  between  points. 
However,  in  our  application,  all  of  the  internal  processing  of  the  relevant  subjects  (viz,  7i 
and  £)  is  encoded  in  the  adversary  and  is  thus  factored  out  of  the  computation  tree.  We 
therefore  do  not  lose  any  needed  generality  in  making  the  above  definition. 

Now,  to  complete  our  description  of  the  assignment  function  we  need  only  describe  the 
relations  and  Ss  for  all  S  C  C. 

Definition  4.5  Our  definition  of  (and  hence  our  definition  of  weak- adversary  knowl¬ 
edge)  is  the  standard  definition  of  knowledge  in  a  distributed  system.  In  particular,  for  any 
two  points.  Pi  and  P2  (not  necessarily  in  distinct  trees)  and  any  subject,  5  C  C,  We  say 
that  P2  is  weak-adversary-accessible  from  Pi,  denoted  ‘k5'“*'(Pi,  P2)’  if  and  only  if  Pi  and  P2 
have  the  same  5-history.  □ 

Our  definition  of  (and  hence,  our  definition  of  powerful- adversary  knowledge)  is 

novel.  In  the  analysis  of  distributed  protocols  and  in  other  areas  of  computer  science,  it  is 
typical  to  use  the  above  weak-adversary  knowledge  accesibility  relation  (or  something  roughly 
equivalent).  Our  definition  of  accessibility  for  powerful-adversary  knowledge  will  require 
more — in  other  words,  using  this  definition  subjects  know  more.  In  particular,  subjects 
“know”  the  probability  distribution  over  the  future  inputs  and  outputs  on  the  channels  that 
they  can  see.  That  is,  if  the  probability  of  a  given  future  output  on  a  low  channel  is  x, 
then  (assuming  a  powerful  adversary)  the  low  environment  knows  that.  To  make  this  notion 
precise,  we  need  some  definitions. 

Definition  4.6  Let  5  C  (7  be  a  subject  and  let  e  be  a  set  of  runs,  {p,},  (not  necessarily 
taken  from  any  one  computation  tree).  We  say  that  e  is  an  S-event  if  and  only  if  there  exists 
a  time  A:  €  IN"''  such  that  for  any  two  runs,  pi  and  p2,  having  the  same  5-history  up  to  time 
k,  Pi  £  e  iff  p2  €  e. 
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For  an  ^-event,  e,  we  will  refer  to  the  least  k  such  that  above  condition  holds  as  the  length 
of  e.  D 

Intuitively,  an  event  e  is  an  5-event  if  and  only  if  there  is  some  finite  time  k  (i.e.,  its  length) 
after  wIj  ch  5  can  always  determine  whether  or  not  e  has  occurred. 

Note  that  in  general,  an  5-event  contains  runs  from  more  than  one  computation  tree.  There¬ 
fore,  such  “events”  will  not  be  measurable  in  any  of  our  probability  spaces.  Rather,  we  think 
of  them  as  meta  events  and  we  will  be  interested  in  the  measure  of  the  subset  of  the  runs  that 
are  contained  in  a  given  computation  tree.  To  make  this  precise,  we  introduce  the  following 
definition. 


Definition  4.7  Given  a  computation  tree,  T^,  and  an  5-event,  e,  the  projection  of  e  onto 
Ta,  denoted  e^,  is  given  by: 

=  runs(TjC)  fl  e 


□ 


Observation  4.8  Every  projection  of  every  5-event  is  measurable.  That  is,  for  any  5-event, 
e,  and  any  computation  tree,  T^, 

This  is  due  to  the  restriction  on  5-events  that  they  be  observable  within  some  finite  time. 
In  particular,  the  projection  of  an  5-event  onto  a  tree,  T,  must  also  be  observable  within  a 
finite  time  and  so,  it  must  be  formable  from  a  finite  number  of  unions  and  complementations 
of  the  generators  of  T.  □ 

Now  we  are  ready  to  give  the  definition  of  the  knowledge  accessibility  relation. 

Definition  4.9  Let  Pi  and  P2  be  two  points  in  (not  necessarily  distinct)  trees  and 
respectively  and  let  5  C  C*  be  a  subject.  We  say  that  P2  is  powerful-adversary-accessible 
from  Pi,  denoted  ‘^^‘’“'"•^“^(Pi,  P2)’  if  and  only  if 

1.  Pi  and  P2  have  the  same  5-history;  and 

2.  for  any  5-event  e,  PAi{o\Ss,Pi)  =  fiA2{^\^s,P2) 
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□ 


Thus,  when  two  points  are  ^^‘’“''’^’‘^-accessible,  this  implies  not  only  that  the  two  points  have 
the  same  5-history,  but  also,  conditioned  on  the  current  5-history,  the  probability  distribu¬ 
tion  on  all  5-events,  including  future  events,  is  the  same.  As  mentioned  previously,  using 
this  definition,  subjects  “know  more”  than  when  using  the  standard  definition.  However, 
we  view  this  as  another  case  where  we’ve  adopted  the  worst-case  scenario;  that  is,  we’ve 
given  the  penetrators,  Ti  and  £,  the  greatest  conceivable  knowledge  at  any  given  point  in 
the  execution  of  the  system.  We  will  see  later  in  the  paper  that  this  choice  corresponds  to 
some  existing  information-theoretic  definitions  of  perfect  multilevel  security. 

Our  definition  of  permitted  knowledge  is  also  novel.  From  our  viewpoint,  a  subject’s  permit¬ 
ted  knowledge  does  not  change  over  the  course  of  the  system’s  execution.  That  is,  a  given 
subject’s  permitted  knowledge  is  set  prior  to  the  start  of  execution.  (It  is  only  a  subject’s 
knowledge  that  changes  during  the  system’s  execution.)  Thus,  we  can  capture  a  subject’s 
permitted  knowledge  by  defining  an  accessibility  relation  on  computation  trees.  We  will  say 
that  two  points  are  accessible  if  and  only  if  they  have  the  same  5-history  and  their  two 
containing  trees  are  accessible;  roughly  speaking,  two  computation  trees,  TUj  and  will 
be  accessible  if  and  only  if  the  parts  of  the  adversaries,  A\  and  A2-,  that  correspond  to  5 
“act  the  same”  in  both  trees.  We  make  this  precise  as  follows. 

Definition  4.10  Let  5  be  a  subject  and  T^j  and  be  two  computation  trees.  We  say 
that  is  As-accessible  from  denoted  ‘A5(r^j,  TU^)’  if  and  only  if  for  any  point  Pi  in 
there  is  a  point  P2  in  such  that 

1.  Pi  and  P2  have  the  same  5- history;  and 

2.  for  any  channel  c  G  5  and  any  input  i  G  /,  UFi(Prs(c-„  =  i))  =  vp^{Prs{c'i^  =  i)). 


□ 

Definition  4.11  Let  5  be  a  subject  and  Pi  and  P2  be  two  points.  We  say  that  P2  is 
Ss-accessible  from  Pi,  denoted  ‘^5(Pi,P2)’  if  and  only  if 

1.  Pi  and  P2  have  the  same  5-history;  and 
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2.  As(^ree(Pi),  ^ree(P2))- 


□ 

Thus,  the  6s  relation  reflects  the  fact  that  subjects  are  permitted  to  know  the  conditional 
probability  distribution  on  their  inputs:  two  points  are  ^s-accessible  (i.e.,  as  far  as  S  is 
permitted  to  know  they  are  the  same  point)  if  and  only  if  the  conditional  distribution  on 
inputs  visible  to  S  is  the  same  at  both  points. 

There  is  a  close  relationship  between  our  definition  of  permitted  knowledge  and  the  Secure 
Environment  Assumption.  In  particular,  recall  that  for  any  adversary.  A,  that  satisfies  the 
Secure  Environment  Assumption  wrt  L  (viz,  definition  2.2),  there  is  a  one-to-one  correspon¬ 
dence  between  A  and  the  two  components  of  the  environment,  Ti  and  C. 

Let  Ai  =  {Hi,  Cl)  and  A2  —  {H2,  C2)  be  two  adversaries  that  satisfy  the  Secure  Environment 
Assumption  wrt  L.  Since  the  low  environment  determines  the  probabilities  with  which  inputs 
occur  on  channels  in  L,  it  is  clear  that  AsiTji^iT^^)  if  and  only  if  Ci  =  £2- 

Intuitively,  this  relationship  can  be  understood  as  follows.  A  subset,  L,  of  the  interface  of  E 
has  been  partitioned  off.  By  our  definition  of  permitted  knowledge,  we  will  say  that  the  low 
environment,  C,  is  permitted  to  know  how  the  inputs  on  L  are  chosen,  but  not  how  other 
(high)  inputs  are  chosen.  By  the  Secure  Environment  Assumption,  we  are  saying  that  C 
cannot  get  any  information  about  how  high  inputs  are  chosen  via  any  means  outside  of  E. 
With  these  two  definitions  in  place,  we  have  effectively  isolated  the  question  that  interests 
us,  “Can  the  low  environment  (C)  come  to  know,  via  the  system  of  interest  (E),  something 
about  the  activity  of  the  high  environment  {H)T' 

In  the  remainder  of  the  paper,  for  a  point  P,  formula  <p,  and  set  of  formulae  T,  we  will  use 
‘P  1=  (p’’  to  indicate  that  (p  is  true  at  P,  and  P  ^  T  to  indicate  that  all  members  of  T  are 
true  at  P.  Finally,  we  will  use  T  f=  y?’  to  indicate  that  y?  is  true  at  all  worlds  at  which  all 
members  of  T  are  true. 

5  Soundness 

In  §6  and  §7  below  we  give  a  syntactic  characterization  of  security  and  show  that  the  semantic 
interpretation  of  our  syntactic  characterization  of  security  is  equivalent  to  certain  previously 
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developed  characterizations.  However,  the  significance  of  these  results  is  greatly  reduced 
unless  the  logic  is  sound.  For,  without  soundness  there  is  no  guarantee  that  any  formal 
proof  of  security  we  might  give  for  a  system  implies  any  independently  motivated  notion  of 
security.  A  soundness  theorem  gives  us  just  such  a  correspondence. 

Theorem  5.1  [Soundness]  Given  a  set  of  formulae  of  our  language  F  and  a  formula  (^, 

If  r  h  (/?,  then  F  |=  (,!p. 

Proof:  In  order  to  prove  soundness  we  must  show  that  the  axioms  are  valid  and  the  rules 
are  truth  preserving  (except  Nec  which  need  only  be  theorem  preserving).  For  most  of  the 
axioms  and  all  of  the  rules  the  results  are  completely  standard.  (Cf.  [CheSO]  and  [Gol92].) 
Hence,  we  do  not  set  them  out  here.  We  specifically  assumed  a  semantics  in  which  all 
the  rules  and  axioms  concerning  logical  connectives  preserve  soundness.  Since  we  assume 
the  real  numbers  are  part  of  our  models,  the  axioms  concerning  them  must  all  be  valid. 
Likewise,  because  the  Pr{^p)  terms  are  interpreted  as  conditional  probabilities  of  events, 
the  RV  axioms  are  valid  in  our  semantics  since  they  reflect  basic  facts  about  probability 
measures.  The  accessibility  relations,  set  out  above  in  §4,  are  clearly  equivalence  relations. 
Thus,  by  a  standard  result  of  modal  logic,  the  S5  axioms  are  all  valid  and  Nec  (for  the 
knowledge  operators)  is  theorem  preserving  (cf.  [CheSO]).  The  temporal  reasoning  axioms 
are  similarly  valid  and  Nec  for  the  temporal  operator  is  theorem  preserving  based  on  the 
time  structure  of  our  model  of  computation  (cf.  [Gol92]).  Validity  of  kR  is  immediate  and 
that  of  RK  is  direct  from  the  definition  of  an  ^-event.  Therefore,  the  only  axioms  that  need 
be  checked  are  the  I/O  axioms.  Let  5”  C  G  be  a  subject,  c  e  -S'  a  channel,  f  G  /  an  input, 
0  G  0  an  output,  and  r  G  ]R  be  a  real  number. 

RI  Prs{c'i^  =i)  =  r  Rs{Prs{c'i^  =  i)  =  r) 

Given  a  world  Pi,  suppose  that  vp^{Prs{c'i^  =  i))  =  r.  Let  Pj  be  a  world  such 
that  8s{Pi-,P2)‘  Then  Pi  and  P^  have  the  same  5-history  and  As(tree(Pi),  iree(P2)). 
Thus,  there  exists  a  point  P^  G  tree{P2)  such  that  Pi  and  P2  have  the  same  5-history, 
and  vp^{Prs{c'i^  =  i))  =  vp^{Prs{di^  =  i))  =  r.  But,  the  definition  of  up(Prs(<^)) 
guarantees  that  if  there  is  such  Pj  then  for  any  P  G  tree{P2)  that  has  the  same  5- 
history  as  Pi,  vp{Prs{c\^  =  i))  =  r,  in  particular  vp^{Prs{c'i^  =  i))  =  r.  So,  by  the 
truth  conditions  for  Ps,  up,(Ps(Prs(c-„  =  0)  =  r)  =  true  .  So,  by  truth  conditions 
for  the  conditional,  RI  is  true  at  every  world  P,  hence  valid. 
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KO  Prs(C,  =  o)  =  r  Ks(Pr5(c;,,  =  o)  =  r) 

Given  a  world  Pi,  suppose  that  vp^{Prs{c[^t  =  o))  =  r.  Let  P2  be  a  world  such  that 
Since  c  e  S,  =  o  is  clearly  an  S'-event.  So,  by  definition  of  the 
^vowtrful  j-elation,  Vp^{Prs{c'^^^  =  o))  =  A^^2('^S,P2(Coa/  =  o)  =  i^AA^s,pA(^'out  =  o)  = 
vpAP'^sWout  =  <’))  =  So,  by  the  truth  conditions  for  Ks,  vp^{Ks{Prs{c'^^t  =  o))  = 
r)  =  true  .  So,  by  truth  conditions  for  the  conditional,  KO  is  true  at  every  world  P, 
hence  valid. 

□ 

This  completes  our  discussion  of  the  logic  itself.  In  the  remainder  of  the  paper  we  focus  on 
security  and  applications  of  the  logic  thereto. 

6  Formal  Definition  of  Security 

In  this  section,  we  give  a  definition  of  security — which  we  call  the  Syntactic  Security  Con¬ 
dition  (SSC) — using  the  powerful-adversary-knowledge  and  permitted-knowledge  operators 
of  our  logic.  This  definition  is  based  on  the  definition  of  “Causality”  given  by  Bieber  and 
Cuppens  [BC92],  which  was  based  on  the  work  of  Glasgow,  MacEwen,  and  Panangaden 
[GMP90].  Although  the  statement  of  SSC  is  almost  syntactically  identical  to  Bieber  and 
Cuppens’  definition  of  Causality,  due  to  the  differences  in  the  semantics  of  the  respective 
logics,  the  meanings  of  (i.e.,  the  semantic  interpretations  of)  SSC  and  Causality  are  different. 
In  fact,  it  is  straightforward  to  show  that  for  deterministic  systems,  the  meaning  of  SSC  is 
equivalent  to  the  meaning  of  Causality.  Thus,  since  SSC  additionally  applies  to  probabilistic 
systems,  SSC  can  be  viewed  as  a  generalization  of  Causality.  In  the  second  subsection,  we 
show  that  the  meaning  of  SSC  is  equivalent  to  the  definition  of  Probabilistic  Noninterference 
given  in  [Gra92]. 

6.1  The  Syntactic  Security  Condition 

For  a  given  subject  P,  the  syntactic  security  condition  intuitively  says  that  at  all  times  and 
for  any  fact  (p  (i.e.,  is  a  formula  in  our  logic),  if  L  knows  9?,  then  L  is  permitted  to  know 
p.  As  mentioned  above,  this  intuitive  explication  of  security  was  first  suggested  by  Glasgow, 
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MacEwen,  and  Panangaden  [GMP90]  and  further  refined  by  Bieber  and  Cuppens  [BC92]. 
We  state  SSC  in  our  formalism  as  follows. 

Definition  6.1  Let  L  C  (7  be  a  subject.  Suppose  a  system  S  is  described  by  a  set  of 
formulae  in  our  logic,  P.  We  say  that  P  satisfies  the  Syntactic  Security  Condition  (SSC)  with 
respect  to  L  if  and  only  if  for  any  formula  (p, 

P  h  d{Kl{p)  ^  Rl{^)) 


□ 

It  is  illuminating  to  consider  for  what  kinds  of  formulae,  p,  the  sentence  Kl{p)  is  derivable 
but  the  formula  Rl(p)  is  not  (i.e.,  what  kind  of  formulae  distinguish  secure  systems  from 
insecure  ones).  There  are  two  ways  in  which  this  might  occur.  First,  we  may  be  able  to 
derive  the  formula  Kx,(y?)  from  the  set  of  premises  P  and  the  standard  S5  axioms  for  the 
Kl  operator  but  not  be  able  to  derive  Rl{^)  from  P  and  the  standard  S5  axioms  for  Rl. 
Since  the  S5  axioms  are  the  same  for  Kl  and  for  Rl,  this  would  mean  that  the  premises 
fairly  directly  imply  that  L  knows  p  but  L  is  not  permitted  to  know  p.  However,  in  what 
we  envision  as  the  typical  application  of  our  logic,  the  set  of  premises,  P,  consists  of  a  set  of 
formulae  saying  that  subjects  always  know  that  the  system  description  always  holds — where 
‘know’  refers  to  weak-adversary  knowledge.  Given  the  axioms  of  our  logic,  from  P  we  can 
also  derive  the  set  of  formulae  actually  describing  the  system  and  the  various  other  relevant 
temporal  and  epistemic  formulae  concerning  the  system  description  itself.  Therefore,  the 
formula  Kl{p)  will  be  derivable  from  P  and  the  standard  S5  axioms  only  in  the  case  that 
Rl{^)  is  derivable  from  P  and  the  standard  S5  axioms.  Hence,  we  do  not  expect  that  the 
premises  and  the  standard  S5  axioms  alone  will  determine  whether  or  not  a  system  is  secure. 

The  second  way  in  which  the  formula  Kl{p)  may  be  derived  but  not  the  formula  is 

by  using  axiom  KO  (in  conjunction  with  the  other  axioms,  rules,  and  premises).  Intuitively, 
axiom  KO  says  that  subjects  always  know  the  (conditional)  distribution  on  the  outputs  that 
they  can  see.  Recall  that  there  is  no  corresponding  axiom  RO.  Thus,  subjects  always  know 
the  (conditional)  distribution  on  the  outputs  that  they  can  see,  but  it  is  not  necessarily 
the  case  that  they  are  permitted  to  know  that  distribution.  This  is  the  essential  difference 
between  the  two  operators.  And  further,  understanding  this  difference  illuminates  the  nature 
of  proving  SSC;  that  is,  proving  SSC  (with  respect  to  some  subject  L)  requires  a  proof 


32 


that  L  is  permitted  to  know  the  (conditional)  distribution  on  outputs  to  L.  This  would 
typically  involve  showing  that  this  (conditional)  distribution  is  logically  derivable  from  other 
facts  that  L  is  permitted  to  know.  In  the  typical  application,  these  “other  facts”  would 
be  the  (conditional)  distribution  on  inputs  from  L  and  the  system  description.  Therefore, 
in  the  typical  application,  a  system  satisfies  SSC  (with  respect  to  some  subject  L)  only  if 
the  (conditional)  distribution  on  outputs  to  L  is  logically  derivable  from  the  (conditional) 
distribution  on  inputs  from  L  and  the  system  description.  As  will  be  seen  in  §7,  this  point 
is  important  for  practical  verification  purposes. 

6.2  Relationship  to  Probabilistic  Noninterference 

In  this  subsection,  we  recall  the  definition  of  Probabilistic  Noninterference  (PNI)  and  prove 
that  the  semantic  interpretation  of  SSC  is  equivalent  to  PNI.  First,  let’s  state  the  semantic 
interpretation  of  SSC. 

Definition  6.2  Let  Z  C  C  be  a  subject.  Suppose  a  system  S  is  described  by  a  set  of 
formulae  in  our  logic,  P.  We  say  that  P  satisfies  the  Semantic  Interpretation  of  the  SSC  with 
respect  to  L  if  and  only  if  for  any  formula  cp, 

T  h  □(Kl(</^)  ^  Rl{<p)) 


□ 


Now,  we  state  the  definition  of  PNI  in  terms  of  our  model. 

Definition  6.3  Let  Ai  and  A2  be  two  adversaries  that  satisfy  the  Secure  Environment 
Assumption.  We  will  say  that  Ai  and  A2  agree  on  L  behavior  iff  there  exist  Tii,  7^2, 
and  C  such  that  Hi  and  C  are  the  unique  probability  functions  that  describe  Ai  (as  in 
Definition  2.2)  and  H2  and  £  are  the  unique  probability  functions  that  describe  A2-  ^ 

Observation  6.4  If  and  are  A/,- accessible,  then  Ai  and  .4.2  agree  on  L  behavior. 
□ 

Definition  6.5  Let  S  be  a  system  with  computation  trees  '7’(E).  We  say  that  S  satisfies 
Probabilistic  Noninterference  (PNI)  with  respect  to  a  subject  Z  C  C  iff  for  any  two  trees 
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satisfying  the  Secure  Environment  Assumption,  T^,Ta’  €  T(S)  and  any  L-event,  e,  if  A 
and  A'  agree  on  L  behavior,  then 

HA{e)  =  HA'ie) 


□ 


PNI  is  equivalent  to  Browne’s  (independently  developed)  Stochastic  Non-Interference  [Bro89]. 
The  significance  of  PNI  is  that  it  is  arguably  a  necessary  and  sufficient  condition  for  a  system 
to  be  free  of  covert  channels  (cf.  [Bro91]). 

Before  we  prove  the  main  result  of  this  section,  we  state  and  prove  a  lemma. 


Lemma  6.6  Suppose  that  Ta  and  Ta'  are  two  trees  that  agree  on  L  behavior  (and  satisfy 
the  Secure  Environment  Assumption).  Eurther  suppose  that  for  any  two  points,  Pi  €  Ta, 
P2  e  Ta',  and  any  low  output  vector,  he  0[L],\i  Pi  and  P2  have  the  same  P-history,  then 


i>Pi(Pri,(P(,„i  =  b))  -  vp^{PrL{L[^t  =  ^)) 


Then,  for  any  P-event,  e. 


f^Ai^A)  =  t^A'i^A') 


Proof:  First  we  prove  this  lemma  for  a  certain  subset  of  P-events,  namely  those  P-events 
corresponding  to  a  finite  P-history. 

Let  e  be  an  P-event  such  that  there  exists  a  time,  k,  (the  length  of  e)  and  a  characteristic 
run,  p,  such  that  for  any  run,  p' ,  p'  e  e  iff  p'  has  the  same  P-history  as  p  up  to  time  k.  That 
is,  e  corresponds  to  the  finite  P-history  characterized  by  p  up  to  time  k. 

We  now  prove  the  lemma  (for  this  subclass  of  P-events)  by  induction  on  the  length  of  e. 
Base  case:  The  length  of  e  is  zero. 

Since  all  runs  have  the  same  P-history  up  to  time  0,  the  only  two  P-events  of  length  0  are 
the  empty  set,  0,  and  the  set  of  all  runs  from  all  trees,  IZ.  In  the  former  case, 

f^Ai<liA)  =  0  =  PA'i^A') 


and  in  the  latter  case, 


fJ'AiP'A)  =  1  =  PA'{T^A') 
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Thus,  the  base  case  is  proved. 

Induction  case:  Assume  the  lemma  holds  for  all  T-events  (corresponding  to  finite  L- 
histories)  of  length  k.  Let  e  be  an  L-event  corresponding  to  a  finite  L-history  of  length 
Suppose  that  p  is  a  run  that  (up  to  time  A:  +  1)  characterizes  e. 

Now,  let  e'  be  the  X-event  characterized  by  p  up  to  time  k.  Intuitively,  e'  corresponds  to  the 
finite  L-history  obtained  by  truncating  e  at  time  k.  By  the  induction  hypothesis, 

=  f^A'i^A')  (2) 

We  have  two  cases. 

Case  1:  /z^(e^)  =  0. 

Note  that  e  C  e'.  That  is,  every  run  that  has  the  same  X-history  as  p  up  to  time  A:  +  1  also 
has  the  same  X-history  as  p  up  to  time  k.  Thus, 

Pa{^)  <  t^Ai^')  and  p^'(e)  <  /x^'(e') 

Further,  since  no  event  can  have  a  negative  measure,  making  use  of  Equation  2  we  have  that 

p^(e)  =  p^(e')  =  =  PA>{e)  (3) 


Case  2:  p>i(e^)  >  0. 

By  Equation  2,  we  also  have  that  Pa'WA  >  Thus,  by  the  definition  of  conditional 
probability, 

Pa{^)  =  •  t^Aie-  |  &')  (4) 

and 

tiA'{^)  =  M^'(e')  •  fiA'{€^  I  e')  (5) 

Let  a  €  lL,k  and  /3  €  OL,k  he  the  low  input  and  output  history,  resp.,  that  characterize  e' 
and  let  a  €  /[X]  and  b  €  0[X]  be  the  low  input  and  output  vectors  at  time  A:  +  1  that  are 
needed  to  additionally  characterize  e.  Then,  by  our  construction  of  the  probability  measures 
(pa)  and  by  the  Secure  Environment  Assumption,  we  have  that 

PA{e  I  e')  =  pA{b,  I  e')  •  £(a  |  a,/?,  k)  (6) 

and 

PA'{e  I  e')  =  pA'{b,  I  e')  ■  C'{a  \  a,  13,  k)  (7) 
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where  C  is  the  low  environment  of  A  and  C  is  the  low  environment  of  A'. 

Since  A  and  A'  agree  on  L-behavior, 

£(a  I  a,^)  =  £'(a  I  (8) 

Further,  since  //>t(e')  >  0  and  >  0,  there  exists  points  in  both  trees,  Pi  e  and 

P2  ^  each  of  whose  X-histories  are  (a,/?).  By  the  assumptions  in  the  lemma, 

vp,{P^L{L'^^^  =  h))  =  vp^{PrL{L[^^  =  b)) 

But  notice  that  Sl,Pi  =  e'  =  Sl,P2  ■  Therefore,  by  our  definition  of  the  assignment  function, 

HA{b  I  e')  =  fiA'{b  I  e')  (9) 

Thus,  by  Equations  6,  7,  8,  and  9,  we  have  that 

fiA{e  I  e')  =  fiA'ie  |  e')  (10) 

and  finally,  by  Equations  2,  4,  5,  and  10,  we  have  that 

fiA{e)  =  fiA'ie) 

Thus,  in  both  cases  ijIa{^)  —  ^.nd  the  induction  case  is  proved. 

Now,  we  can  complete  the  proof  by  observing  that  every  P-event  can  be  constructed  by 
taking  a  finite  number  of  unions  and  complementations  of  P-events  that  correspond  to  finite 
P-histories.  That  is,  the  P-events  that  correspond  to  finite  P-histories  are  analogous  to  the 
generators  of  our  event  spaces.  Thus,  the  desired  result  that  for  an  arbitrary  P-event,  e, 
/i^(e)  =  yA'i^)  follows  from  the  fact  that  the  measures  are  equal  on  all  of  the  P-events,  {e,}, 
that  are  used  to  construct  e  in  this  fashion.  □ 

We  can  now  prove  the  following  theorem  relating  PNI  and  SSC. 

Theorem  6.7  Let  F  be  a  set  of  formulae  describing  S  and  let  P  C  C  be  a  subject.  Then,  S 
satisfies  PNI  with  respect  to  P  iff  F  satisfies  the  semantic  interpretation  of  SSC  with  respect 
to  P. 
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Proof:  First  we  show  the  forward  direction.  Suppose  S  satisfies  PNI  and  let  Pi  be  a  point 
such  that  Pi  \=  r.  We  must  show  that  for  any  formula  (/?, 


vp,{0{KLi<f)  ^  Rl{^)))  =  true  (11) 

Applying  the  semantic  assignment  function,  upj,  to  Formula  11,  we  get 

For  any  point,  P2,  reachable  from  Pi, 

if  for  any  point  P3,  -P3)  implies  vp^{(p)  =  true  (12) 

then  for  any  point  P3-,^l{P2iPz)  implies  vp^{if)  =  true 
Let  P2  be  a  point  reachable  from  Pi  and  assume  that 

for  any  point  P3,  -Ps)  implies  vp^{(f)  =  true  (13) 

Now,  let  P3  be  an  arbitrary  point.  To  prove  Formula  11,  it  is  sufficient  to  show  that 

^l{P2,P3)  implies  vp^{(p)  =  true  (14) 


If  /c£‘’“'®’^“^(P2  5  ^3)5  then  by  Formula  13,  vp^{ip)  =  true  and  so  Formula  14  holds.  Therefore, 
assume  that  not  «£‘’”'®’^“^(P2,P3);  that  is,  assume  that  either 

1.  P2  and  P3  do  not  have  the  same  L- history;  or 

2.  for  some  L-event  e,  IJ'A{P2){^\^l,P2)  i=-  t^A(P3){^\^L,P3)  (where  A{P2)  is  the  adversary 
corresponding  to  the  tree  containing  P2  and  A{P3)  is  the  adversary  corresponding  to 
the  tree  containing  P3). 

Assuming  that  P2  and  P3  do  not  have  the  same  T-history  (i.e.,  item  1  above),  by  the  definition 
of  6l  we  have  not  6l{P2,Pz)  and  so  Formula  14  is  true.  Therefore,  assume  that  P2  and 
P3  do  have  the  same  T-history,  but  that  item  2  holds.  Let  e  be  an  T-event  for  which  item  2 
holds.  We  have  two  cases. 

1.  ^iA(P2){^)  4"  f^A(P3){^)-  Since  e  is  an  T-event,  PNI  implies  that  Ta{P2)  and  Ta(P3)  differ 
on  L  behavior. 

2-  y^A(P2){^L,P2)  4  fiA(P3){SL,P3)-  Since,  by  assumption,  P2  and  P3  have  the  same  L- 
history,  Sl^p^  and  Sp^p^  represent  projections  of  the  same  T-event  onto  their  respec¬ 
tive  computation  trees.  Let  e'  be  that  T-event.  Therefore,  in  this  case,  tiA(P2){.^')  4 
fiA{P3){e')  and,  again,  PNI  implies  that  Ta(P2)  and  Ta(P3)  differ  on  L  behavior. 


37 


Thus,  in  either  case,  and  TU(F3)  differ  on  L  behavior  and  therefore,  by  Observa¬ 
tion  6.4,  and  7U(F3)  cannot  be  Ai-accessible.  Further,  by  the  definition  of  Sp  we  have 

not  Sl{P2,P3).  Hence,  Formula  14  is  true. 

Therefore,  Formula  14  is  true  in  all  cases  and  F  satisfies  the  semantic  interpretation  of  SSC. 

Now  we  show  that  if  F  satisfies  the  semantic  interpretation  of  SSC  (with  respect  to  L),  then 
S  satifies  PNI  (with  respect  to  L).  Suppose  that  S  does  not  satisfy  PNI;  that  is,  there  exist 
adversaries,  A  and  A',  that  satisfy  the  Secure  Environment  Assumption  and  that  agree  on 
L  behavior,  and  an  L-event,  e,  such  that 

We  want  to  show  that  F  does  not  satisfy  the  semantic  interpretation  of  SSC.  To  do  so,  it 
is  sufficient  to  exhibit  a  point,  P  and  a  formula  ip  such  that  P  |=  F  and  P  □(Kl((^) 
Rhi'^))-  We  choose  P  and  ip  as  follows. 

Since  A  and  A!  agree  on  L  behavior  and  there  exists  an  T-event,  e,  such  that 

^  HA'{e) 

by  Lemma  6.6,  there  must  exist  two  points.  Pi  €  Ta,  P2  €  Ta',  and  a  low  output  vector, 
b  €  0\L\^  such  that  Pi  and  P2  have  the  same  P-history  and 

vp^{Prp{L'^^^  =  h))  ^  vp^{PrL{L[^f  =  b)) 

Let  Pi  and  P2  be  such  points  and  suppose  that,  in  fact, 

vp^iPriiL'^^t  =  6))  =  r  7^  vp^{PrL{L'^^f  =  b)) 

Therefore,  choose  P  =  Pi  and  choose  (p  =  PrL{L[^^  =  b)  =  r. 

By  axiom  KO,  and  the  soundness  of  our  logic,  vp{KLi<p))  =  true  .  But,  we  have  that 
^£,(P, P2)  and  vp^i^p)  =  false  .  Therefore,  vp{Rl{(p))  —  false  ,  and  hence  vp{Kl{<p)  —>■ 
Rl{<p))  =  false  . 

Since  F  specifies  E  and  Ta  is  a  computation  tree  for  S,  P  [=  F  and  the  theorem  is  proved. 

□ 

The  significance  of  this  theorem  is  that  (given  soundness)  verifying  that  a  system  satisfies 
SSC  is  sufficient  to  show  that  it  satisfies  PNI,  which  (as  was  previously  mentioned)  is  a 
necessary  and  sufficient  condition  for  a  system  to  be  free  of  covert  channels.  In  the  next 
section,  we  discuss  the  issue  of  verifying  SSC. 
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7  Verification 


Thus  far  in  the  paper,  we  have  given  a  logic  that  can  be  used  to  specify  a  computer  system 
and  verify  that  it  satifies  PNI.  This  process  consists  of  two  steps:  (1)  specify  the  system 
under  consideration  as  a  set  of  premises  F.  (2)  prove  that  F  H  Ki,(y’)  —*  Riif)  for  every 
formula  (/?.® 

Since  we  do  not  quantify  over  formulae,  it  is  impossible  to  formally  deduce  that  for  every 
formula  </?,  F  h  this  would  require  an  infinite  number  of  deductions/ 

Perhaps  this  shows  that  the  verification  effort  is  not  pointed  in  the  right  direction.  After  all, 
mainy  of  formulae  of  the  language,  e.g.,  2  +  2  =  4,  will  have  nothing  to  do  with  the  security 
of  a  given  system. 

It  thus  seems  desirable  to  find  a  verification  condition  that  (1)  is  entirely  expressible  within 
our  logic  (i.e.,  it  does  not  require  metalinguistic  variables  such  as  (f),  and  (2)  does  not 
require  the  verifiers  to  prove  things  that  have  nothing  to  do  with  security.  In  the  following 
two  subsections,  we  give  such  a  condition  and  discuss  its  relationship  to  previous  work. 

7.1  Syntactic  Statement 

In  [McL90],  McLean  defines  the  Flow  Model  (FM)  with  the  motivation  of  providing  an 
abstract,  but  precise,  explication  of  information  flow  security.  McLean’s  intent  for  FM  is 
to  provide  a  characterization  of  security  against  which  more  concrete  security  models  can 
be  evaluated.  In  [Gra92],  the  first  author  studies  a  more  concrete  version  of  FM,  called  the 
Applied  Flow  Model  (AFM),  and  it  is  shown  therein  that  AFM  captures  a  strictly  stronger 
notion  of  security  than  PNI. 

In  this  paper,  we  have  another  reason  for  studying  AFM:  it  is  more  easily  verified  than 

SSC.  It  was  already  discussed  above  that  proving  SSC  requires  a  proof  that  for  any  the 

formula  Kl(<^)  Rl{^)  can  be  derived  from  the  set  of  premises,  F.  The  usual  technique 

for  such  a  proof  is  to  proceed  by  induction  on  the  structure  of  ip.  (For  example,  one  case 

of  such  a  proof  would  be  where  if  is  of  the  form  tf;  A  and  where  the  inductive  hypothesis 

^Actually,  this  would  be  done  for  each  security  class  c  by  partitioning  the  set  of  communication  channels 
into  those  that  are  dominated  by  c  (which  are  called  L)  and  those  that  are  not  dominated  by  c  (which  are 
called  H). 

^We  can  of  course  give  an  informal  inductive  proof  on  the  structure  of  p.  But,  this  would  not  be  a  proof 
tn  the  logic. 
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allows  us  to  assume  that  both  K£,(^)  — ^  and  Ri{^')  are  derivable  from 

r.)  Such  a  proof  requires  the  prover  to  consider  one  case  for  each  way  that  a  formula  can 
be  constructed,  and  as  noted  above,  many  of  these  cases  may  have  nothing  to  do  with  the 
security  of  the  system  under  consideration. 

As  discussed  in  §6.1,  the  crucial  difference  between  the  K  and  R  operators  is  that  there  is 
no  axiom  for  R  that  corresponds  to  axiom  KO.  In  particular,  it  is  always  the  case  that 

P^s{c'o^t  =o)  =  r  ^  Ks{Prs{c'„^t  =  o)  =  r) 

(for  any  given  S  C  C,  c  e  S,  b  e  O,  and  r  €  IR- )  but  it  is  not  necessarily  the  case  that 

=  o)  =  r^  Rs{Prs{c',^t  =  o)  =  r) 

Thus,  if  we  can  give  a  condition  (i.e.,  a  formula  in  our  logic)  that  is  sufficient  to  ensure  that 

=o)  =  r  ->■  Rz(PrL(c'^^f  =  o)  =  r) 

is  derivable  from  a  set  of  premises  F,  then  our  intuition  suggests  that  such  a  condition  would 
be  sufficient  to  ensure  that  Kj:,((f)  -4  Rz,((p)  is  derivable  from  F,  for  any  formula  (p.  The 
following  definition  provides  such  a  condition. 

Definition  7.1  Let  L  C  C  be  a  subject.  Suppose  F  is  a  set  of  premises  that  describe  a 
system  S.  We  say  that  F  satisfies  the  Syntactic  Verification  Condition  (SVC)  with  respect 
to  L  if  and  only  if,  for  every  b  €.  0[T],  the  formula 

D{Prc{L'  =  6)  =  r  ^  hiPniL'  =  b)  =  r)) 

is  derivable  from  F.  □ 

Intuitively,  SVC  says  that  at  all  times,  assuming  that  the  low  environment  is  a  weak  adver¬ 
sary,  he  still  knows  the  probability  distribution  on  his  next  output. 

In  the  next  section,  we  will  show  that  this  statement  is  equivalent  to  a  statement  about 
conditional  statistical  independence.  Namely,  conditioned  on  the  previous  L-history,  the 
next  output  on  L  is  statistically  independent  of  the  previous  non-T  (i.e.,  high)  history. 
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7.2  Relationship  to  Previous  Formulations 

In  this  section  we  show  that  F  [=  SVC  if  and  only  if  the  system  specified  by  F  satisfies  AFM 
(i.e.,  the  relationship  between  SVC  and  AFM  is  analogous  to  the  relationship  between  SSC 
and  PNI). 

Definition  7.2  Let  E  be  a  system  with  computation  trees  T (E)  and  let  L  C  C  be  a  subject. 
We  will  say  that  E  satisfies  the  Applied  Flow  Model  (AFM)  with  respect  to  L  iff  for  any  tree, 
€  T(E)  (satisfying  the  Secure  Environment  Assumption  with  respect  to  L),  any  point 
P  ^  Ta,  and  any  low  output  vector,  6  €  0[L], 

I^a{ScAL' =  b))  =  PA{SLAL'  =  b)) 

□ 

This  definition  is,  except  for  minor  notational  differences,  exactly  the  definition  of  AFM  as 
given  in  [Gra92].  Now  we  can  prove  the  following  theorem. 

Theorem  7.3  Let  F  be  a  set  of  formulae  describing  E  and  let  L  C  (7  be  a  subject.  Then, 
E  satisfies  AFM  with  respect  to  L  iff  F  satisfies  the  semantic  interpretation  of  SVC  with 
respect  to  L. 

Proof:  Let  T (E)  be  the  set  of  computation  trees  for  E.  Suppose  that  F  satisfies  the  semantic 
interpretation  of  SVC  with  respect  to  L.  That  is,  for  any  point  Pi  in  any  tree  in  T(E), 

vpj  (a[Prc{L'  =  b)  =  r  ki,{PrL{L'  =  b)  =  r)))  =  true 

By  applying  the  semantic  assignment  function,  we  have  for  any  point  P2  €  p  €  extensions  {Pi ) 
that 

vp^iPrciL'  =  b)  =  r)  ^  vp^{kL{PrL{L'  =  b)  =  r))) 

Applying  the  semantic  assignment  function  again,  we  have, 

=  b))=r^  (m,Kr‘(P2,P3)  =S-  =  i))  =  0 

(where  A{P3)  is  the  adversary  corresponding  to  the  tree  containing  P3),  which  is  equivalent 
to 

VP2,  P3  [Acr*  {P2,  P3)  ^  f^A(pA^c,p,  {L'  =  b))  =  pa(pA^l,p,  {L'  =  6))]  (15) 
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Thus,  Formula  15  is  equivalent  to  the  statement  that  F  satisfies  the  semantic  interpretation  of 
SVC  with  respect  to  L.  By  choosing  =  P3  =  P  and  by  the  reflexivity  of  Formula  15 

implies  that  E  satisfies  AFM  with  respect  to  L. 

We  will  now  show  that  if  S  satisfies  AFM  with  respect  to  L,  then  Formula  15  holds. 
Suppose,  for  reductio,  that  k,'1^^[P2^Pz)i  but  =  b))  IJ‘A(P3){Si^p^[L'  =  b)). 

Since  Ta{P2),Ta{P3)  €  T(S),  we  may  apply  AFM  (wrt  L)  to  conclude  that 

HA(P2){Sl,P2{L'  =  b))  ^  ha(P2){Sl,p2{L'  =  b)) 

Recall  from  [Gra92]  that  any  system  satisfying  AFM  satisfies  PNI  (wrt  the  same  subject). 
We  will  now  show  that  the  above  equation  is  inconsistent  with  PNI,  hence  with  AFM. 

Suppose  that  Ta(P2)  and  Ta(P3)  agree  on  low  behavior.  Then  PNI  is  contradicted  since 
Sl,p{L'  =  b)  is  the  iree(P)-projection  of  an  T-event  for  any  point  P.  So,  suppose  that 
and  r^(P3)  disagree  on  low  behavior.  By  the  secure  environment  assumption,  .4(^2)  and 
.4(^3)  can  be  given  by 

A{P2){a  I  a,  /3,  k)  =  n2{a\{C  -  L)  \  a,  /3,  k)  •  £2{a\L  \  a^L,  /3\L,  k) 

A{P^){a  I  a,  k)  =  -  T)  I  a,  k)  ■  Cz{a\L  |  a\L,  I3\L,  k) 

We  can  define  a  new  adversary  A4,  which  satisfies  the  Secure  Environment  Assumption,  by 

A4{a  I  a,  /3,  k)  =  TisialiC  -  L)  \  a,  l3,  k)  ■  C2{a\L  |  a\L,  I3\L,  k) 

Thus,  we  also  have  TA^  €  T(S).  We  now  show  by  induction  on  prefixes  of  the  C-history 
of  P3  that  TAi  contains  a  point  P4  with  the  same  history  on  all  channels  as  P3,  i.e.,  such 
that  -P4).  Obviously  1(4^  contains  the  empty  trace.  Suppose  that  the  time  of  P3  is 

k  and  that  there  is  a  point  in  Ta^  with  the  same  C-history  as  P3  through  time  k'  <  k.  By 
construction  of  the  computation  trees,  and  since  -P3),  the  input  and  output  vectors 

that  extend  the  subhistory  of  P3  to  A:'  +  1  are  assigned  a  positive  branch  probability  in  TA^  ■ 
Therefore,  by  the  structure  of  trees,  there  is  a  point  F4  €  with  the  same  C-history  as  P3 
through  time  A:'  +  1. 

Thus,  by  construction,  .4(^2)  and  A{P4)  agree  on  L  behavior,  but 

tiA(Pi){SL,p^{L'  =  6))  =  ^iA(P2){SL,P:i{L'  =  b))  ^  fiA(P2){^L,P2iL'  =  b)) 
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However,  this  contradicts  PNI,  hence  AFM,  and  our  supposition  is  discharged. 

□ 

Since,  as  remarked,  AFM  is  stronger  than  PNI  [Gra92],  the  foregoing  theorem  shows  that 
SVC  is  a  sufficient  condition  for  a  system  to  satisfy  PNI. 

7.3  Examples,  continued 

We  note  here  that  the  security  of  the  encryption  box  of  Example  3.1  with  respect  to  a 
subject  L  C  C  is  formally  derivable.  In  fact,  once  the  assumptions  are  written  down,  there 
is  virtually  nothing  to  prove.  Recall  the  system  specification:  If  C  =  {h,  /},  /  =  {0, 1},  and 
O  =  {0, 1},  then,  the  system  is  specified  by  the  following  formula. 

D(i'ro(C,=0)  =  Prc(C.  =  l)  =  0.5) 

(In  the  initial  specification  relativisation  to  C  was  left  implicit  for  simplicity  since  it  is 
tantamount  to  relativising  to  the  system,  S.)  Recall  also  that  subjects  are  assumed  to 
always  know  that  the  system  description  holds  at  all  times.  Thus, 

r  =  {DiiD  =  0)  =  Pri,(L'„,  =  1)  =  0.5)} 

The  only  b  €  0[L\  are  O  and  1;  hence,  the  only  antecedents  for  the  SVC  schema  that  are 
consistent  with  F  are  Prc{L'g^^  =  0)  and  Prc{L'„^f  =  1).  Thus,  SVC  with  respect  to  L  for 
this  system  is: 

□  (Prc(T;„,  =  0)  =  0.5  A  Prc{K,,  =  1)  =  0.5)  ^ 

kL  =  0)  =  0.5  A  =  1)  =  0.5) 

But,  this  is  obviously  derivable  from  P. 

We  also  observe  that  for  the  insecure  encryption  box  of  Example  3.2  F  \f  SSC  (where  F 
encompasses  those  formulae  that  embody  the  system  description  and  our  assumptions  about 
knowledge  thereof).  It  is  obvious  that  the  insecure  encryption  box  fails  to  satisfy  PNI.  By 
the  attack  described  in  the  original  example,  we  can  easily  find  two  adversaries  that  satisfy 
the  Secure  Environment  Assumption  and  agree  on  low  behavior  and  yet  disagree  on  the 
probability  of  certain  low  events.  Indeed,  the  low  environment  can  assign  0/1  probabilities 
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to  any  output  sent  by  the  high  part  of  the  adversary.  By  theorem  6.7,  we  thus  have  that 
r  SSC.  And,  by  soundness  (theorem  5.1),  it  follows  that  F  1/  SSC. 

8  Conclusions 

We  have  given  a  logic  for  specifying  and  reasoning  about  the  multilevel  security  of  proba¬ 
bilistic  computer  systems.  Beside  the  practical  benefits  of  providing  a  logic  to  reason  about 
probabilistic  systems,  we  have  established  connections  between  previous  logical  formulations 
of  security  (viz,  [GMP90]  and  [BC92]),  information-theoretic  formulations  of  security  (viz, 
[Bro89]  and  [Gra92]),  and  logical  formulations  of  knowledge  and  probability  in  distributed 
systems  (viz,  [HT93]).  These  connections  serve  to  increase  our  confidence  that  each  formu¬ 
lation  is  correct. 
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